Skip to main content

CVE-2025-5822: CWE-863: Incorrect Authorization in Autel Autel MaxiCharger AC Wallbox Commercial

High
VulnerabilityCVE-2025-5822cvecve-2025-5822cwe-863
Published: Wed Jun 25 2025 (06/25/2025, 18:00:49 UTC)
Source: CVE Database V5
Vendor/Project: Autel
Product: Autel MaxiCharger AC Wallbox Commercial

Description

Autel MaxiCharger AC Wallbox Commercial Technician API Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. An attacker must first obtain a low-privileged authorization token in order to exploit this vulnerability. The specific flaw exists within the implementation of the Autel Technician API. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-26325.

AI-Powered Analysis

AILast updated: 06/25/2025, 18:42:15 UTC

Technical Analysis

CVE-2025-5822 is a high-severity vulnerability affecting the Autel MaxiCharger AC Wallbox Commercial electric vehicle charging stations, specifically version 1.36.00. The vulnerability arises from an incorrect authorization implementation in the Autel Technician API, which is designed to provide maintenance and configuration capabilities to authorized technicians. The flaw allows an attacker who has already obtained a low-privileged authorization token to escalate their privileges and gain access to resources and functions that should be restricted. This privilege escalation occurs due to improper validation of authorization levels within the API, classified under CWE-863 (Incorrect Authorization). The vulnerability does not require user interaction and can be exploited remotely over the network (CVSS vector AV:N/AC:L/PR:L/UI:N). While the attacker must first acquire a low-privileged token, the low attack complexity and lack of user interaction make exploitation feasible once initial access is obtained. The impact primarily affects confidentiality, allowing unauthorized access to sensitive data or control functions, with limited impact on integrity and no direct availability impact. No known exploits are currently reported in the wild, and no patches have been published at the time of disclosure. The vulnerability was publicly disclosed on June 25, 2025, and was assigned CVSS 3.0 base score 7.1, indicating a high severity level. The affected product is a commercial EV charging station, which is critical infrastructure in the growing electric vehicle ecosystem.

Potential Impact

For European organizations, this vulnerability poses significant risks, especially for entities operating or managing EV charging infrastructure such as utility companies, commercial parking operators, and municipalities investing in green transportation. Unauthorized privilege escalation could allow attackers to access sensitive operational data, manipulate charging sessions, or disrupt billing and user authentication processes. This could lead to financial losses, reputational damage, and potential regulatory penalties under GDPR if personal data is exposed. Additionally, compromised charging stations could be leveraged as entry points into broader industrial or enterprise networks, increasing the risk of lateral movement and further compromise. The impact is heightened in Europe due to the continent's aggressive push towards electric mobility and the widespread deployment of EV charging infrastructure. Disruption or manipulation of these systems could undermine trust in EV services and slow adoption rates. Furthermore, attackers could exploit this vulnerability to interfere with energy management systems, potentially affecting grid stability if large numbers of chargers are compromised.

Mitigation Recommendations

1. Immediate implementation of network segmentation to isolate EV charging infrastructure from critical enterprise and operational technology networks, limiting attacker lateral movement. 2. Enforce strict access controls and multi-factor authentication (MFA) for all technician and administrative interfaces to reduce the risk of low-privileged token compromise. 3. Monitor API access logs for anomalous behavior indicative of privilege escalation attempts, such as unusual API calls or access patterns inconsistent with technician roles. 4. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics tailored to detect exploitation attempts targeting the Autel Technician API. 5. Coordinate with Autel for timely patching once updates become available; in the interim, consider disabling or restricting remote access to the Technician API where feasible. 6. Conduct regular security audits and penetration testing focused on EV charging infrastructure to identify and remediate similar authorization weaknesses. 7. Implement strict credential management policies, including regular rotation and revocation of technician tokens, to minimize the window of opportunity for attackers. 8. Engage in threat intelligence sharing with industry groups and national cybersecurity centers to stay informed about emerging exploits and mitigation strategies specific to EV infrastructure.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
zdi
Date Reserved
2025-06-06T19:16:34.664Z
Cvss Version
3.0
State
PUBLISHED

Threat ID: 685c3f5ae230f5b234855972

Added to database: 6/25/2025, 6:26:34 PM

Last enriched: 6/25/2025, 6:42:15 PM

Last updated: 8/18/2025, 11:53:31 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats