Connect with us

Hi, what are you looking for?



New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking

Schneider Electric has patched several new vulnerabilities that expose its EVlink electric vehicle charging stations to remote hacker attacks.

Schneider Electric has patched several new vulnerabilities that expose its EVlink electric vehicle charging stations to remote hacker attacks.

Schneider announced the availability of patches on December 14, when it urged customers to immediately apply patches or mitigations. The flaws have been found to impact EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2 and EVP2PE) and Smart Wallbox (EVB1A) devices, as well as some products that have reached end of life.

The vendor has credited researcher Tony Nasr for finding a total of seven vulnerabilities in these charging stations, including one critical and five high-severity issues.

The security holes include cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs that can be exploited to carry out actions on behalf of a legitimate user, and a weakness that can be leveraged to gain access to a charging station’s web interface via brute-force attacks. The most serious issue — based on its CVSS score of 9.3 — is a server-side request forgery (SSRF) vulnerability.

EVlink electric vehicle charging station vulnerabilitiesSchneider warned that failure to take action could lead to “tampering and compromise of the charging station’s settings and accounts.”

“Such tampering could lead to things like denial of service attacks, which could result in unauthorized use of the charging station, service interruptions, failure to send charging data records to the supervision system and the modification and disclosure of the charging station’s configuration,” the industrial giant wrote in its advisory.

The company noted that exploitation of the vulnerabilities requires physical access to the system’s internal communication port, but admitted that attacks can also be launched from the local network and even the internet if the charging station is accessible from the web.

“The exploitation of Internet-connected charging stations does not require having access to the LAN, therefore making the attack vector very powerful and effective,” Nasr told SecurityWeek. “In this case, the adversary would perform Internet-wide scans to search for viable EVCS [electric vehicle charging stations] before attempting to exploit their vulnerabilities. However, it should be noted that connectivity of the EVCS does not present any difference in terms of the actual exploitation process (i.e., triggering the vulnerabilities).”

Advertisement. Scroll to continue reading.

“For instance, if the EVCS is not accessible via the Internet, then the adversary is assumed to have access to the LAN, which is a relatively trivial task (e.g., cracking Wi-Fi network passwords, networks with default configurations, etc), where the EVCS is connected to in order to conduct local, yet remote, exploitation. Following these two methods, the adversary can take control over the underlying EVCS, by launching various cyber attacks that leverage the discussed vulnerabilities,” he added.

The researcher pointed out that exploitation of some of the vulnerabilities, such as the SSRF bug, involves sending specially crafted requests and does not require any user interaction.

“Such an attack allows the adversary to leverage the compromised EVCS as a network proxy, practically building a botnet and conducting distributed cyber attacks, such as a distributed denial of service (DDoS), against other devices,” Nasr explained.

Exploitation of the XSS and CSRF vulnerabilities, on the other hand, does require some user interaction (e.g. clicking on a link).

“While the most devastating attack vector is a remote cyber attack that targets Internet-facing EVlink, adversaries can still pose a great danger to the ecosystem of these stations by targeting their management systems across LAN since fundamentally EVlink setup requires network connectivity for more efficient remote monitoring and management,” the researcher said.

Based on internet searches conducted with services such as Shodan and Censys, Nasr says there are thousands of internet-exposed systems.

“It should be noted that this amount greatly increases when discussing EVlink charging stations that are not currently Internet-facing but yet are network-configured and can still be attacked locally by exploiting the aforementioned vulnerabilities through specific vectors on LAN for instance,” the researcher noted.

Nasr said these vulnerabilities were found as part of a larger study into electric vehicle charging station management systems. The full results of the study will be made available next year — the researcher does not want to disclose at this point the names of other vendors and products targeted in the study.

As the popularity of EVs is increasing, so is the interest of cybersecurity researchers in charging stations. The security of these systems has also been analyzed this year by Pen Test Partners and Trend Micro

Related: Schneider Electric Vehicle Charging Stations Exposed to Hacker Attacks

Related: Connected Cars Moving Targets for Hackers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.