CVE-2025-5751 is a vulnerability identified in the WOLFBOX Level 2 Electric Vehicle (EV) Charger, specifically affecting versions 3.1.17 (main) and 1.2.6 (MCU). The vulnerability is classified under CWE-798, which pertains to the use of hard-coded credentials. In this case, the flaw arises from the management cards used to control the charger. These management cards lack personalization, meaning that the same credentials or authentication tokens are embedded and reused across devices. This design flaw allows an attacker with physical access to the charger to bypass authentication controls without needing any prior authentication or user interaction. The vulnerability does not impact confidentiality but has a significant impact on integrity, as unauthorized users can gain management-level access to the charger. This could allow them to manipulate charging parameters, disrupt charging sessions, or potentially cause damage to the hardware or connected vehicles. The vulnerability requires physical presence, as exploitation involves interaction with the management card system. No known exploits are currently reported in the wild, and no patches have been released yet. The CVSS v3.0 score is 4.6 (medium severity), reflecting the limited attack vector (physical access) but significant impact on system integrity. The vulnerability was published on June 6, 2025, and was assigned by the Zero Day Initiative (ZDI) under the identifier ZDI-CAN-26292.

For European organizations, especially those involved in EV infrastructure, this vulnerability poses a tangible risk. Unauthorized physical access to charging stations could lead to manipulation of charging operations, potentially causing service disruptions or damage to EV batteries and hardware. This could undermine trust in EV infrastructure reliability and safety, impacting public and private charging networks. Critical infrastructure operators, fleet managers, and public charging station providers may face operational disruptions and reputational damage. Furthermore, attackers could leverage compromised chargers as entry points for broader network attacks if the chargers are connected to corporate or utility networks. The lack of authentication requirement lowers the barrier for exploitation, increasing risk in environments where physical security is not tightly controlled. Given the increasing adoption of EVs across Europe, the vulnerability could affect a wide range of stakeholders from municipal operators to private enterprises.

Mitigation should focus on both immediate and long-term measures. Immediately, organizations should enforce strict physical security controls around EV charging stations to prevent unauthorized physical access. This includes surveillance, access restrictions, and tamper-evident seals on management card interfaces. Network segmentation is critical; chargers should be isolated from sensitive networks to limit lateral movement if compromised. Monitoring and logging of charger management activities should be implemented to detect anomalous behavior. In the longer term, WOLFBOX should be urged to release firmware updates that eliminate hard-coded credentials by implementing unique, personalized management cards or alternative strong authentication mechanisms. Organizations should plan for timely deployment of such patches once available. Additionally, conducting regular security assessments of EV infrastructure and incorporating security requirements into procurement processes can reduce exposure to similar vulnerabilities.