EUVD-2025-28667
CVSS Vector
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Autel MaxiCharger AC Wallbox Commercial Firmware Downgrade Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a firmware image before using it to perform an upgrade. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the device. Was ZDI-CAN-26354.
Analysis
CVE-2025-5825 is a firmware downgrade remote code execution vulnerability in Autel MaxiCharger AC Wallbox Commercial charging stations that allows network-adjacent attackers with Bluetooth pairing capability to execute arbitrary code by uploading a malicious firmware image without proper validation. The vulnerability has a CVSS score of 7.5 (High) with high confidentiality, integrity, and availability impact, though exploitation requires prior Bluetooth device pairing. This is a ZDI-coordinated disclosure (ZDI-CAN-26354) affecting commercial charging infrastructure.
Technical Context
The vulnerability exists in the firmware update mechanism of Autel MaxiCharger AC Wallbox Commercial units, a popular commercial EV charging station platform. The root cause is classified under CWE-1328 (Inadequate Implementation of Security Features in Firmware), specifically the lack of cryptographic signature verification or integrity validation before applying firmware updates. The attack vector is Adjacent Network (AV:A), indicating the attacker must first establish Bluetooth connectivity to the device—a pairing requirement that represents a significant prerequisite. The firmware update process accepts and applies untrusted firmware images without proper authentication, allowing an attacker who has paired a malicious Bluetooth device to downgrade or replace the firmware with a compromised version containing arbitrary code execution payloads.
Affected Products
Autel MaxiCharger AC Wallbox Commercial (all versions vulnerable to CVE-2025-5825, with specific versions unconfirmed in available data). CPE would likely be: cpe:2.3:h:autel:maxicharger_ac_wallbox_commercial:*:*:*:*:*:*:*:*. Vendor advisory details, specific patched versions, and affected firmware revisions should be confirmed via Autel's security advisory channels. Commercial installations typically include firmware versions in the 2.x and 3.x ranges, but exact vulnerable versions require vendor documentation.
Remediation
Immediate remediation steps: (1) Apply firmware updates from Autel addressing CVE-2025-5825 once released—monitor Autel's official security advisories for patched firmware versions; (2) Interim mitigations include disabling Bluetooth pairing on units where not operationally required, implementing network segmentation to isolate charging station management interfaces, and restricting Bluetooth device pairing to authorized personnel only; (3) Review Bluetooth pairing logs and revoke any unauthorized paired devices; (4) If available, implement signed firmware update verification at the network level before devices receive updates; (5) Coordinate with Autel support for patch availability timelines and staged deployment procedures for commercial fleets. Workarounds may include air-gapping management access, disabling remote firmware update capabilities if local update remains available, and physical security controls around charging stations to prevent unauthorized Bluetooth device proximity.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today