CVE-2025-5749 is a medium-severity vulnerability identified in the WOLFBOX Level 2 Electric Vehicle (EV) Charger, specifically affecting firmware versions 3.1.17 (main) and 1.2.6 (MCU). The vulnerability stems from a CWE-457 issue, which is the use of an uninitialized variable related to the handling of Bluetooth Low Energy (BLE) encryption keys. In this context, the cryptographic keys used for vendor-specific encrypted communications are not properly initialized before use. This flaw allows a network-adjacent attacker to bypass authentication mechanisms without requiring any prior authentication or user interaction. The vulnerability effectively compromises the integrity of the authentication process, enabling unauthorized access to the charger’s control interface or communication channels. Exploitation could allow attackers to manipulate charging sessions, disrupt service availability, or potentially pivot to other connected systems if the charger is integrated into broader smart grid or building management networks. Although no known exploits are currently reported in the wild, the vulnerability’s presence in a critical infrastructure component like EV chargers raises concerns about potential future exploitation. The CVSS 3.0 score of 6.3 reflects a medium severity, considering the attack vector is adjacent network access, low attack complexity, no privileges required, and no user interaction needed, with limited confidentiality, integrity, and availability impacts.

For European organizations, the impact of this vulnerability could be significant given the increasing adoption of EV infrastructure across the continent. Unauthorized access to EV chargers could lead to disruptions in charging availability, affecting fleet operations, public charging stations, and private installations. This could result in operational downtime, financial losses, and reputational damage, especially for service providers and municipalities relying on these chargers. Furthermore, compromised chargers could be leveraged as entry points into corporate or municipal networks, potentially exposing sensitive data or enabling lateral movement. The confidentiality impact is limited but not negligible, as attackers might intercept or manipulate encrypted communications. Integrity and availability impacts are more pronounced, with the possibility of unauthorized control or denial of service. Given the strategic push for green energy and EV adoption in Europe, ensuring the security of charging infrastructure is critical to maintaining trust and operational continuity.

To mitigate this vulnerability, European organizations using WOLFBOX Level 2 EV Chargers should prioritize the following actions: 1) Apply firmware updates as soon as they become available from WOLFBOX, even though no patches are currently listed, maintain close communication with the vendor for timely releases. 2) Implement network segmentation to isolate EV chargers from critical IT and OT networks, limiting the potential for lateral movement if a charger is compromised. 3) Employ network-level access controls such as firewalls and BLE signal filtering to restrict access to authorized devices only. 4) Monitor network traffic for anomalous BLE communication patterns that could indicate exploitation attempts. 5) Conduct regular security assessments and penetration testing on EV charging infrastructure to identify and remediate weaknesses proactively. 6) Engage with vendors to ensure secure key management practices and request transparency on cryptographic implementations. 7) Consider deploying additional authentication layers or VPN tunnels for remote management interfaces to compensate for the authentication bypass risk.