CVE-2025-6678 is a high-severity vulnerability affecting the Autel MaxiCharger AC Wallbox Commercial electric vehicle charging stations, specifically version 1.36.00. The vulnerability is classified under CWE-306, which indicates a missing authentication for a critical function. The flaw resides in the Pile API of the charging station software, where certain API endpoints do not require any authentication before granting access. This lack of authentication allows remote attackers to access sensitive information, including credentials, without any user interaction or prior privileges. Exploiting this vulnerability can lead to disclosure of sensitive data that could be leveraged for further attacks or unauthorized control of the charging infrastructure. The vulnerability has a CVSS 3.0 base score of 7.5, reflecting its high impact on confidentiality with no impact on integrity or availability. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). Although no known exploits are currently reported in the wild, the ease of exploitation and the critical nature of the information disclosed make this a significant threat to organizations deploying these charging stations. The absence of authentication on critical API functions represents a fundamental security design flaw that could be exploited by attackers to compromise the charging infrastructure and potentially pivot to other connected systems within the organization.

For European organizations, this vulnerability poses a significant risk to the security and privacy of electric vehicle charging infrastructure, which is increasingly critical as Europe pushes for widespread EV adoption. Disclosure of credentials could allow attackers to manipulate charging station operations, disrupt services, or gain unauthorized access to internal networks if the charging stations are connected to corporate or utility networks. This could lead to operational disruptions, loss of customer trust, and potential regulatory penalties under GDPR if personal or sensitive data is exposed. Furthermore, compromised charging stations could be used as footholds for broader attacks on energy infrastructure or critical services, especially in sectors like transportation, logistics, and public utilities. The impact is particularly severe for organizations relying on Autel MaxiCharger AC Wallbox Commercial stations in commercial or public settings, where availability and security are paramount. Given the vulnerability does not affect integrity or availability directly, the primary concern is confidentiality breach, but the subsequent misuse of disclosed credentials could escalate the impact.

To mitigate this vulnerability, organizations should prioritize the following actions: 1) Immediately isolate affected charging stations from external and untrusted networks to reduce exposure. 2) Implement network-level access controls such as firewalls and VPNs to restrict access to the Pile API endpoints only to trusted administrators and systems. 3) Monitor network traffic for unusual access patterns or unauthorized API calls targeting the charging stations. 4) Engage with Autel to obtain firmware updates or patches addressing the authentication flaw; if none are available, consider temporary compensating controls such as API gateways or reverse proxies enforcing authentication. 5) Conduct regular security audits and penetration tests on charging infrastructure to detect similar vulnerabilities. 6) Educate operational staff on the risks and signs of compromise related to EV charging infrastructure. 7) Segment the charging station network from critical corporate or utility networks to limit lateral movement in case of compromise. These targeted mitigations go beyond generic advice by focusing on network segmentation, monitoring, and compensating controls in the absence of an official patch.