CVE-2025-5824 is an authentication bypass vulnerability affecting the Autel MaxiCharger AC Wallbox Commercial, a device used for electric vehicle charging. The vulnerability arises from an origin validation error in the handling of Bluetooth pairing requests. Specifically, the system fails to properly validate the origin of incoming Bluetooth commands, which allows a network-adjacent attacker to bypass authentication mechanisms. To exploit this vulnerability, an attacker must first gain the ability to pair a malicious Bluetooth device with the target charger. Once paired, the attacker can send commands that the system incorrectly accepts as authenticated, potentially allowing unauthorized control or manipulation of the device. The vulnerability is classified under CWE-346 (Origin Validation Error), indicating a failure to verify the source of commands or requests. The affected version is 1.36.00 of the Autel MaxiCharger AC Wallbox Commercial. The CVSS v3.0 base score is 5.0 (medium severity), with vector AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating that the attack requires adjacent network access (Bluetooth), high attack complexity, no privileges or user interaction, and impacts confidentiality, integrity, and availability to a low degree. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability could allow attackers to manipulate charging sessions, disrupt service availability, or potentially cause safety issues if the device is controlled maliciously.

For European organizations, especially those operating electric vehicle (EV) charging infrastructure, this vulnerability presents a moderate risk. Unauthorized access to commercial EV chargers could lead to service disruptions, impacting fleet operations, public charging availability, and customer trust. Manipulation of charging parameters could cause financial loss or damage to connected vehicles. Confidentiality impact is limited but could include exposure of usage data or operational status. Integrity and availability impacts, while rated low, could affect operational continuity and safety if attackers disrupt charging sessions or cause device malfunctions. Organizations managing large EV fleets, public charging networks, or critical infrastructure relying on these chargers may face operational and reputational risks. Given the increasing adoption of EVs in Europe and the strategic importance of clean energy infrastructure, such vulnerabilities could have broader implications if exploited at scale.

1. Restrict Bluetooth pairing capabilities to trusted devices only, implementing strict device whitelisting and pairing authorization policies. 2. Monitor Bluetooth activity on charging stations for anomalous pairing attempts or unusual command sequences. 3. Deploy network segmentation and access controls to limit Bluetooth communication to authorized personnel and devices. 4. Engage with Autel for firmware updates or patches addressing this vulnerability; prioritize updating affected devices once available. 5. Implement physical security controls to prevent unauthorized proximity to charging stations, reducing the risk of malicious Bluetooth pairing. 6. Conduct regular security assessments and penetration testing focused on Bluetooth interfaces of EV charging infrastructure. 7. Educate operational staff about the risks of Bluetooth-based attacks and establish incident response procedures for suspected compromises. 8. Where feasible, disable Bluetooth interfaces on chargers if remote management is not required or use alternative secure communication channels.