CVE-2025-6678: CWE-306: Missing Authentication for Critical Function in Autel Autel MaxiCharger AC Wallbox Commercial
Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Pile API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-26352.
AI Analysis
Technical Summary
CVE-2025-6678 is a high-severity vulnerability affecting the Autel MaxiCharger AC Wallbox Commercial electric vehicle charging stations, specifically version 1.36.00. The vulnerability is classified under CWE-306, which indicates a missing authentication for a critical function. The flaw resides in the Pile API of the charging station software, where certain API endpoints do not require any authentication before granting access. This lack of authentication allows remote attackers to access sensitive information, including credentials, without any user interaction or prior privileges. Exploiting this vulnerability can lead to disclosure of sensitive data that could be leveraged for further attacks or unauthorized control of the charging infrastructure. The vulnerability has a CVSS 3.0 base score of 7.5, reflecting its high impact on confidentiality with no impact on integrity or availability. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). Although no known exploits are currently reported in the wild, the ease of exploitation and the critical nature of the information disclosed make this a significant threat to organizations deploying these charging stations. The absence of authentication on critical API functions represents a fundamental security design flaw that could be exploited by attackers to compromise the charging infrastructure and potentially pivot to other connected systems within the organization.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the security and privacy of electric vehicle charging infrastructure, which is increasingly critical as Europe pushes for widespread EV adoption. Disclosure of credentials could allow attackers to manipulate charging station operations, disrupt services, or gain unauthorized access to internal networks if the charging stations are connected to corporate or utility networks. This could lead to operational disruptions, loss of customer trust, and potential regulatory penalties under GDPR if personal or sensitive data is exposed. Furthermore, compromised charging stations could be used as footholds for broader attacks on energy infrastructure or critical services, especially in sectors like transportation, logistics, and public utilities. The impact is particularly severe for organizations relying on Autel MaxiCharger AC Wallbox Commercial stations in commercial or public settings, where availability and security are paramount. Given the vulnerability does not affect integrity or availability directly, the primary concern is confidentiality breach, but the subsequent misuse of disclosed credentials could escalate the impact.
Mitigation Recommendations
To mitigate this vulnerability, organizations should prioritize the following actions: 1) Immediately isolate affected charging stations from external and untrusted networks to reduce exposure. 2) Implement network-level access controls such as firewalls and VPNs to restrict access to the Pile API endpoints only to trusted administrators and systems. 3) Monitor network traffic for unusual access patterns or unauthorized API calls targeting the charging stations. 4) Engage with Autel to obtain firmware updates or patches addressing the authentication flaw; if none are available, consider temporary compensating controls such as API gateways or reverse proxies enforcing authentication. 5) Conduct regular security audits and penetration tests on charging infrastructure to detect similar vulnerabilities. 6) Educate operational staff on the risks and signs of compromise related to EV charging infrastructure. 7) Segment the charging station network from critical corporate or utility networks to limit lateral movement in case of compromise. These targeted mitigations go beyond generic advice by focusing on network segmentation, monitoring, and compensating controls in the absence of an official patch.
Affected Countries
Germany, France, Netherlands, Norway, Sweden, United Kingdom, Belgium
CVE-2025-6678: CWE-306: Missing Authentication for Critical Function in Autel Autel MaxiCharger AC Wallbox Commercial
Description
Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Pile API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-26352.
AI-Powered Analysis
Technical Analysis
CVE-2025-6678 is a high-severity vulnerability affecting the Autel MaxiCharger AC Wallbox Commercial electric vehicle charging stations, specifically version 1.36.00. The vulnerability is classified under CWE-306, which indicates a missing authentication for a critical function. The flaw resides in the Pile API of the charging station software, where certain API endpoints do not require any authentication before granting access. This lack of authentication allows remote attackers to access sensitive information, including credentials, without any user interaction or prior privileges. Exploiting this vulnerability can lead to disclosure of sensitive data that could be leveraged for further attacks or unauthorized control of the charging infrastructure. The vulnerability has a CVSS 3.0 base score of 7.5, reflecting its high impact on confidentiality with no impact on integrity or availability. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). Although no known exploits are currently reported in the wild, the ease of exploitation and the critical nature of the information disclosed make this a significant threat to organizations deploying these charging stations. The absence of authentication on critical API functions represents a fundamental security design flaw that could be exploited by attackers to compromise the charging infrastructure and potentially pivot to other connected systems within the organization.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the security and privacy of electric vehicle charging infrastructure, which is increasingly critical as Europe pushes for widespread EV adoption. Disclosure of credentials could allow attackers to manipulate charging station operations, disrupt services, or gain unauthorized access to internal networks if the charging stations are connected to corporate or utility networks. This could lead to operational disruptions, loss of customer trust, and potential regulatory penalties under GDPR if personal or sensitive data is exposed. Furthermore, compromised charging stations could be used as footholds for broader attacks on energy infrastructure or critical services, especially in sectors like transportation, logistics, and public utilities. The impact is particularly severe for organizations relying on Autel MaxiCharger AC Wallbox Commercial stations in commercial or public settings, where availability and security are paramount. Given the vulnerability does not affect integrity or availability directly, the primary concern is confidentiality breach, but the subsequent misuse of disclosed credentials could escalate the impact.
Mitigation Recommendations
To mitigate this vulnerability, organizations should prioritize the following actions: 1) Immediately isolate affected charging stations from external and untrusted networks to reduce exposure. 2) Implement network-level access controls such as firewalls and VPNs to restrict access to the Pile API endpoints only to trusted administrators and systems. 3) Monitor network traffic for unusual access patterns or unauthorized API calls targeting the charging stations. 4) Engage with Autel to obtain firmware updates or patches addressing the authentication flaw; if none are available, consider temporary compensating controls such as API gateways or reverse proxies enforcing authentication. 5) Conduct regular security audits and penetration tests on charging infrastructure to detect similar vulnerabilities. 6) Educate operational staff on the risks and signs of compromise related to EV charging infrastructure. 7) Segment the charging station network from critical corporate or utility networks to limit lateral movement in case of compromise. These targeted mitigations go beyond generic advice by focusing on network segmentation, monitoring, and compensating controls in the absence of an official patch.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- zdi
- Date Reserved
- 2025-06-25T18:02:03.974Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 685c3f5be230f5b2348559a1
Added to database: 6/25/2025, 6:26:35 PM
Last enriched: 6/25/2025, 6:41:36 PM
Last updated: 8/17/2025, 6:02:28 PM
Views: 39
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.