March 23, 2023

Schneider Electric has patched several new vulnerabilities that expose its EVlink electric vehicle charging stations to remote hacker attacks.

in one of an alerts, Schneider Electric confirmed the detection and fix of various vulnerabilities residing in EVlink EV charging stations, which could expose these deployments to malicious hackers. To be specific, the faults reside in the EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2 and EVP2PE) and Smart Wallbox (EVB1A) equipment, in addition to other products that will no longer be supported.


Among the vulnerabilities addressed, cross-site request forgery (CSRF) and cross-site scripting (XSS) flaws stand out, which could be exploited to deploy actions impersonating legitimate users; in addition, a vulnerability was addressed that could give attackers full access to charging stations via brute force attacks. The most severe of the flaws received a CVSS score of 9.3/10

The company warns that exploiting the critical flaw could lead to severe risk scenarios:

Malicious manipulation of charging stations could lead to denial of service (DoS) attacks, deregistration, and disclosure of sensitive information. Exploiting most of these vulnerabilities would require physical access to the system’s internal communication ports, although some complex attacks can be exploited remotely over the Internet.


Tony Nasr, a researcher who initially reported the vulnerabilities, mentions that the bugs involve sending specially crafted requests and exploitation does not require interaction from vulnerable users: “Attacks allow threat actors to exploit compromised EVCS in a similar way to the operation of a botnet, allowing the deployment of various attacks.” but, exploiting the CSRF and XSS vulnerabilities requires specific levels of user interaction.

The researcher adds that while the most dangerous attack vector points to Internet-oriented EVlink implementations, cybercriminals could still create a severe security risk for these stations over LAN, as the EVlink configuration requires network connectivity for remote control and more efficient management. These vulnerabilities were found as part of a larger study on electric vehicle charging station management systems. Full results of the study will be available in the coming months.

Leave a Reply

%d bloggers like this: