CVE-2025-3606 is a medium-severity vulnerability identified in the Vestel AC Charger model EVC04, specifically affecting firmware version 3.75.0. The vulnerability is categorized under CWE-497, which relates to the exposure of sensitive information to an unauthorized actor. In this case, the flaw allows an attacker to access files on the device that contain sensitive information, including credentials. These credentials could be leveraged to further compromise the device, potentially enabling unauthorized control or manipulation of the charger. The vulnerability arises from improper protection or access control mechanisms on sensitive files within the device's file system. Since the Vestel AC Charger EVC04 is an industrial control system component used for electric vehicle charging, unauthorized access to such devices could have implications for operational security and user privacy. No known exploits are currently reported in the wild, and no patches have been published as of the vulnerability disclosure date (April 24, 2025). The vulnerability was reserved and assigned by ICS-CERT, indicating its relevance to industrial control systems security. The absence of a CVSS score requires an independent severity assessment based on the potential impact and exploitability factors.

For European organizations, the impact of this vulnerability could be significant, especially for entities involved in electric vehicle infrastructure, energy distribution, and smart grid management. Unauthorized access to sensitive credentials could allow attackers to manipulate charging operations, disrupt service availability, or pivot to other networked systems, potentially causing operational downtime or data breaches. Given the increasing adoption of electric vehicles and associated charging infrastructure across Europe, compromised chargers could serve as entry points for broader attacks on critical infrastructure. Additionally, exposure of credentials may lead to privacy violations if user or operational data is accessed. The impact is heightened in sectors where reliability and security of charging infrastructure are critical, such as public transportation hubs, commercial fleets, and energy providers. While no active exploitation is currently known, the vulnerability presents a risk that could be exploited by threat actors targeting European energy and transportation sectors.

1. Immediate mitigation should include isolating affected Vestel AC Charger EVC04 devices running firmware version 3.75.0 from critical networks until a patch is available. 2. Implement strict network segmentation and access controls to limit communication with the charger devices, reducing the attack surface. 3. Monitor network traffic for unusual access patterns or attempts to retrieve sensitive files from the chargers. 4. Employ strong authentication and authorization mechanisms on management interfaces to prevent unauthorized access. 5. Coordinate with Vestel for firmware updates or patches addressing this vulnerability and apply them promptly once released. 6. Conduct regular audits of device configurations and file permissions to ensure sensitive files are not exposed. 7. Consider deploying intrusion detection systems tailored for industrial control systems to detect exploitation attempts. 8. Educate operational technology (OT) personnel about the risks associated with this vulnerability and best practices for secure device management.