CVE-2025-5827 is a high-severity stack-based buffer overflow vulnerability affecting the Autel MaxiCharger AC Wallbox Commercial electric vehicle (EV) charging stations, specifically version 1.36.00. The flaw resides in the ble_process_esp32_msg function, which processes Bluetooth Low Energy (BLE) messages on the device. The vulnerability arises due to improper validation of the length of user-supplied data before it is copied into a fixed-length buffer on the stack. This lack of bounds checking allows a network-adjacent attacker to send specially crafted BLE messages that overflow the buffer, leading to arbitrary code execution within the context of the device's firmware. Notably, exploitation does not require any authentication or user interaction, significantly lowering the barrier for attackers. Successful exploitation could allow an attacker to take full control of the EV charger, potentially manipulating charging operations, disrupting service availability, or using the device as a foothold for lateral movement within a network. Although no known exploits are currently reported in the wild, the vulnerability's CVSS score of 8.8 (high) reflects its critical impact on confidentiality, integrity, and availability. The vulnerability was publicly disclosed on June 25, 2025, and was tracked as ZDI-CAN-26369 prior to CVE assignment. No patches or mitigations have been officially released at the time of this analysis, increasing the urgency for affected organizations to implement compensating controls.

For European organizations, the impact of this vulnerability is significant due to the increasing adoption of EV infrastructure across the continent, driven by stringent environmental policies and incentives. Compromise of Autel MaxiCharger AC Wallbox Commercial units could lead to unauthorized manipulation of charging sessions, potentially causing financial losses, operational disruptions, or safety hazards. Additionally, compromised chargers could be leveraged as entry points into corporate or municipal networks, especially in smart city deployments or commercial fleet management environments. The integrity and availability of EV charging infrastructure are critical for transportation and energy sectors, and disruption could undermine public trust and regulatory compliance. Given the lack of authentication required for exploitation, attackers could operate remotely within Bluetooth range, which may extend beyond physical premises in some cases. This elevates the risk for organizations with chargers installed in publicly accessible or semi-public locations. Furthermore, the potential for arbitrary code execution raises concerns about persistent malware implantation, data exfiltration, or use of the device in broader attack campaigns.

1. Immediate network segmentation: Isolate EV charging stations from critical internal networks to limit lateral movement in case of compromise. 2. Restrict Bluetooth access: Where possible, disable or limit BLE connectivity to trusted devices only, using MAC address filtering or BLE whitelisting. 3. Monitor BLE traffic: Deploy specialized monitoring tools to detect anomalous BLE messages or patterns indicative of exploitation attempts. 4. Firmware update vigilance: Engage with Autel for timely release of patches and apply updates promptly once available. 5. Physical security enhancements: Restrict physical access to chargers to prevent local exploitation or tampering. 6. Incident response readiness: Prepare for potential compromise scenarios by establishing procedures for rapid isolation and forensic analysis of affected devices. 7. Vendor communication: Maintain active communication channels with Autel and industry groups to receive threat intelligence and mitigation guidance. 8. Network access control (NAC): Implement NAC policies to ensure only authorized devices can communicate with EV chargers over the network. These measures go beyond generic advice by focusing on BLE-specific controls, network architecture adjustments, and proactive monitoring tailored to the unique attack vector of this vulnerability.