CVE-2025-5822: CWE-863: Incorrect Authorization in Autel Autel MaxiCharger AC Wallbox Commercial
Autel MaxiCharger AC Wallbox Commercial Technician API Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. An attacker must first obtain a low-privileged authorization token in order to exploit this vulnerability. The specific flaw exists within the implementation of the Autel Technician API. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-26325.
AI Analysis
Technical Summary
CVE-2025-5822 is a high-severity vulnerability affecting the Autel MaxiCharger AC Wallbox Commercial electric vehicle charging stations, specifically version 1.36.00. The vulnerability arises from an incorrect authorization implementation in the Autel Technician API, which is designed to provide maintenance and configuration capabilities to authorized technicians. The flaw allows an attacker who has already obtained a low-privileged authorization token to escalate their privileges and gain access to resources and functions that should be restricted. This privilege escalation occurs due to improper validation of authorization levels within the API, classified under CWE-863 (Incorrect Authorization). The vulnerability does not require user interaction and can be exploited remotely over the network (CVSS vector AV:N/AC:L/PR:L/UI:N). While the attacker must first acquire a low-privileged token, the low attack complexity and lack of user interaction make exploitation feasible once initial access is obtained. The impact primarily affects confidentiality, allowing unauthorized access to sensitive data or control functions, with limited impact on integrity and no direct availability impact. No known exploits are currently reported in the wild, and no patches have been published at the time of disclosure. The vulnerability was publicly disclosed on June 25, 2025, and was assigned CVSS 3.0 base score 7.1, indicating a high severity level. The affected product is a commercial EV charging station, which is critical infrastructure in the growing electric vehicle ecosystem.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for entities operating or managing EV charging infrastructure such as utility companies, commercial parking operators, and municipalities investing in green transportation. Unauthorized privilege escalation could allow attackers to access sensitive operational data, manipulate charging sessions, or disrupt billing and user authentication processes. This could lead to financial losses, reputational damage, and potential regulatory penalties under GDPR if personal data is exposed. Additionally, compromised charging stations could be leveraged as entry points into broader industrial or enterprise networks, increasing the risk of lateral movement and further compromise. The impact is heightened in Europe due to the continent's aggressive push towards electric mobility and the widespread deployment of EV charging infrastructure. Disruption or manipulation of these systems could undermine trust in EV services and slow adoption rates. Furthermore, attackers could exploit this vulnerability to interfere with energy management systems, potentially affecting grid stability if large numbers of chargers are compromised.
Mitigation Recommendations
1. Immediate implementation of network segmentation to isolate EV charging infrastructure from critical enterprise and operational technology networks, limiting attacker lateral movement. 2. Enforce strict access controls and multi-factor authentication (MFA) for all technician and administrative interfaces to reduce the risk of low-privileged token compromise. 3. Monitor API access logs for anomalous behavior indicative of privilege escalation attempts, such as unusual API calls or access patterns inconsistent with technician roles. 4. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics tailored to detect exploitation attempts targeting the Autel Technician API. 5. Coordinate with Autel for timely patching once updates become available; in the interim, consider disabling or restricting remote access to the Technician API where feasible. 6. Conduct regular security audits and penetration testing focused on EV charging infrastructure to identify and remediate similar authorization weaknesses. 7. Implement strict credential management policies, including regular rotation and revocation of technician tokens, to minimize the window of opportunity for attackers. 8. Engage in threat intelligence sharing with industry groups and national cybersecurity centers to stay informed about emerging exploits and mitigation strategies specific to EV infrastructure.
Affected Countries
Germany, France, Netherlands, Norway, United Kingdom, Sweden, Belgium, Denmark
CVE-2025-5822: CWE-863: Incorrect Authorization in Autel Autel MaxiCharger AC Wallbox Commercial
Description
Autel MaxiCharger AC Wallbox Commercial Technician API Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. An attacker must first obtain a low-privileged authorization token in order to exploit this vulnerability. The specific flaw exists within the implementation of the Autel Technician API. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-26325.
AI-Powered Analysis
Technical Analysis
CVE-2025-5822 is a high-severity vulnerability affecting the Autel MaxiCharger AC Wallbox Commercial electric vehicle charging stations, specifically version 1.36.00. The vulnerability arises from an incorrect authorization implementation in the Autel Technician API, which is designed to provide maintenance and configuration capabilities to authorized technicians. The flaw allows an attacker who has already obtained a low-privileged authorization token to escalate their privileges and gain access to resources and functions that should be restricted. This privilege escalation occurs due to improper validation of authorization levels within the API, classified under CWE-863 (Incorrect Authorization). The vulnerability does not require user interaction and can be exploited remotely over the network (CVSS vector AV:N/AC:L/PR:L/UI:N). While the attacker must first acquire a low-privileged token, the low attack complexity and lack of user interaction make exploitation feasible once initial access is obtained. The impact primarily affects confidentiality, allowing unauthorized access to sensitive data or control functions, with limited impact on integrity and no direct availability impact. No known exploits are currently reported in the wild, and no patches have been published at the time of disclosure. The vulnerability was publicly disclosed on June 25, 2025, and was assigned CVSS 3.0 base score 7.1, indicating a high severity level. The affected product is a commercial EV charging station, which is critical infrastructure in the growing electric vehicle ecosystem.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for entities operating or managing EV charging infrastructure such as utility companies, commercial parking operators, and municipalities investing in green transportation. Unauthorized privilege escalation could allow attackers to access sensitive operational data, manipulate charging sessions, or disrupt billing and user authentication processes. This could lead to financial losses, reputational damage, and potential regulatory penalties under GDPR if personal data is exposed. Additionally, compromised charging stations could be leveraged as entry points into broader industrial or enterprise networks, increasing the risk of lateral movement and further compromise. The impact is heightened in Europe due to the continent's aggressive push towards electric mobility and the widespread deployment of EV charging infrastructure. Disruption or manipulation of these systems could undermine trust in EV services and slow adoption rates. Furthermore, attackers could exploit this vulnerability to interfere with energy management systems, potentially affecting grid stability if large numbers of chargers are compromised.
Mitigation Recommendations
1. Immediate implementation of network segmentation to isolate EV charging infrastructure from critical enterprise and operational technology networks, limiting attacker lateral movement. 2. Enforce strict access controls and multi-factor authentication (MFA) for all technician and administrative interfaces to reduce the risk of low-privileged token compromise. 3. Monitor API access logs for anomalous behavior indicative of privilege escalation attempts, such as unusual API calls or access patterns inconsistent with technician roles. 4. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics tailored to detect exploitation attempts targeting the Autel Technician API. 5. Coordinate with Autel for timely patching once updates become available; in the interim, consider disabling or restricting remote access to the Technician API where feasible. 6. Conduct regular security audits and penetration testing focused on EV charging infrastructure to identify and remediate similar authorization weaknesses. 7. Implement strict credential management policies, including regular rotation and revocation of technician tokens, to minimize the window of opportunity for attackers. 8. Engage in threat intelligence sharing with industry groups and national cybersecurity centers to stay informed about emerging exploits and mitigation strategies specific to EV infrastructure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- zdi
- Date Reserved
- 2025-06-06T19:16:34.664Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 685c3f5ae230f5b234855972
Added to database: 6/25/2025, 6:26:34 PM
Last enriched: 6/25/2025, 6:42:15 PM
Last updated: 8/1/2025, 11:08:54 AM
Views: 8
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.