View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.6
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: EVLink WallBox
• Vulnerabilities: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain remote control of the charging station.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• EVLink WallBox: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability exists, which could cause arbitrary file writes when an unauthenticated user on the web server manipulates the file path.

CVE-2025-5740 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-5740. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability exists, which could cause arbitrary file reads from the charging station. Exploitation of this vulnerability requires an authenticated session of the web server.

CVE-2025-5741 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-5741. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability exists when an authenticated user modifies the configuration parameters on the web server.

CVE-2025-5742 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-5742. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).

3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78

An improper neutralization of special elements used in an OS command ('OS command injection') vulnerability exists, which could cause remote control of the charging station when an authenticated user modifies configuration parameters on the web server.

CVE-2025-5743 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-5743. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Dutch Institute for Vulnerability Disclosure (DIVD) reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

According to Schneider Electric, EVLink WallBox product has reached its end of life and is no longer supported. Users should also consider upgrading to the replacement product offering EVLink Pro AC to resolve these issues. Users should immediately apply the following mitigations to reduce the risk of exploit:

• Firewall Configuration and Logs:
  • Set up network segmentation and implement a firewall to block all unauthorized access to HTTP ports.
  • Periodically check the access log.
• Password:
  • Choose a strong password.
  • Do not share your password.
  • Change your password periodically .

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-161-03 EVLink WallBox - SEVD-2025-161-03 PDF Version, EVLink WallBox - SEVD-2025-161-03 CSAF Version.

Schneider Electric strongly recommends the following industry cybersecurity best practices.

• Passwords should include upper case, lower case, number and special characters, a length of 20 characters is ideal.
• A default Admin password must be changed immediately when first received and after a factory reset.
• Device should only be used in a personal home network.
• Device should not have a publicly accessible IP address.
• Do NOT use port forwarding to access a device from the public internet.
• A device should be on its own network segment. If your router supports a guest network or VLAN, it is preferable to locate the device there.
• Use the strongest Wi-Fi encryption available, such as WPA3 or WPA2/3 with protected management frames.
• Schedule regular reboots of your routing device, smartphones, and computers.
• For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 24, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-161-03