EUVD-2025-28757
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Tags
Description
Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Pile API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-26352.
Analysis
CVE-2025-6678 is an unauthenticated remote information disclosure vulnerability in Autel MaxiCharger AC Wallbox Commercial charging stations affecting the Pile API endpoint. An attacker can remotely access sensitive information including credentials without requiring authentication, enabling credential theft and potential further compromise of the charging infrastructure. The vulnerability has a CVSS 7.5 severity rating reflecting high confidentiality impact, and the lack of authentication requirements makes exploitation trivial.
Technical Context
The vulnerability resides in the Pile API of Autel MaxiCharger AC Wallbox Commercial units, which are networked electric vehicle charging stations designed for commercial deployment. The root cause is classified as CWE-306 (Missing Authentication for Critical Function), indicating the Pile API endpoint fails to enforce authentication mechanisms before exposing sensitive operational data. The affected systems are networked charging appliances that communicate via HTTP/REST APIs; the lack of authentication means any network-accessible attacker (local network or internet-routable depending on deployment) can directly query API endpoints without credentials. This is a fundamental API security flaw where sensitive operations or data retrieval are exposed without access controls, a common issue in IoT and charging infrastructure devices that may prioritize ease-of-use over security.
Affected Products
Autel MaxiCharger AC Wallbox Commercial charging stations (specific version ranges not provided in available data). CPE data for this product would typically be structured as: cpe:2.3:h:autel:maxicharger_ac_wallbox_commercial:*:*:*:*:*:*:*:*. The vulnerability affects commercial-grade networked charging appliances; consumer or residential Autel MaxiCharger variants should be assessed separately for scope. ZDI-CAN-26352 cross-reference indicates this was disclosed through the Zero Day Initiative coordinated disclosure process. Vendor advisory and patch information should be obtained directly from Autel support or security advisories; specific patched firmware versions were not provided in the description.
Remediation
1. **Immediate**: Restrict network access to Pile API endpoints using firewall rules, network segmentation, or IP allowlisting if the charging stations are not required to be internet-accessible. Isolate MaxiCharger AC Wallbox Commercial units to trusted networks only. 2. **Urgent**: Contact Autel support for available firmware patches or security updates addressing CWE-306 authentication enforcement. Check Autel's security advisory portal for CVE-2025-6678 patch availability and deployment instructions. 3. **Short-term**: If patches are unavailable, implement API gateway authentication or reverse proxy controls (e.g., nginx, WAF) in front of the Pile API endpoint to enforce authentication before allowing access. 4. **Monitoring**: Audit logs for unauthorized API access attempts to the Pile API; rotate any credentials that may have been exposed via this vulnerability. 5. **Long-term**: Migrate to patched firmware versions once available and implement ongoing API security testing as part of the charging infrastructure maintenance schedule.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today