A heap-based buffer overflow in ABB Terra AC wallbox chargers, tracked as CVE-2025-5517, could allow attackers to seize control of electric vehicle charging stations and pivot into connected corporate networks, the U.S. Cybersecurity and Infrastructure Security Agency warned on May 26, 2026. CISA republished the advisory originally issued by ABB, highlighting that certain models of the popular EV chargers are vulnerable to remote exploitation via the Open Charge Point Protocol (OCPP).

The vulnerability resides in the charger’s OCPP message parser, where an attacker can send a specially crafted request that overflows a heap buffer, leading to arbitrary code execution or a denial-of-service condition. ABB has released firmware updates to address the flaw, and CISA strongly advises all owners of affected ABB Terra AC units to apply the patch immediately or implement compensating network controls.

Technical Deep Dive: The OCPP Attack Vector

OCPP is the de facto standard communication protocol between electric vehicle charging stations and central management systems. It enables remote monitoring, billing, firmware updates, and load balancing. Most publicly accessible charge points rely on OCPP, often transmitted over WebSockets or HTTP.

The vulnerability in question stems from insufficient bounds checking when the charger processes a specific OCPP message type. Researchers discovered that a malicious OCPP server (or a compromised intermediary) could send a BootNotification payload with an oversized field, causing the charger’s firmware to write beyond the allocated heap buffer. This overflow overwrites adjacent memory, corrupting control data that an attacker can manipulate to hijack execution flow.

Unlike stack-based overflows, heap overflows rely on corrupting heap metadata—such as free chunk pointers—to redirect program execution when the corrupted memory is later reused. In this case, the attacker-controlled data can overwrite a function pointer stored nearby, enabling a jump to shellcode or a return-oriented programming chain. Proof-of-concept demonstrations have shown reliable code execution on ARM-based processors commonly used in embedded Linux devices.

“The heap-based buffer overflow could be triggered without authentication, provided the attacker can reach the charger’s OCPP endpoint,” ABB’s advisory explained. “Successful exploitation may grant full control over the charger’s operating system, allowing an adversary to alter charging parameters, disable safety interlocks, or use the device as a foothold into the broader network.”

Although ABB has not disclosed a CVSS severity score, early assessments by independent security firms placed it at 9.6 under CVSS v4, owing to the network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

Which Devices Are Affected?

ABB confirmed that the following Terra AC wallbox models are impacted, though exact firmware revisions vary by region:

  • Terra AC W22-T-0 (firmware versions ≤ 4.2.1)
  • Terra AC W7-T-0 (firmware versions ≤ 4.2.1)
  • Terra AC W22-S-0 (firmware versions ≤ 4.2.1)
  • Terra AC W7-S-0 (firmware versions ≤ 4.2.1)

The firmware updates that patch CVE-2025-5517 are version 4.2.2 and higher. ABB has published the updates through its support portal and recommends that all operators verify their installations immediately.

CISA advises organizations to search for these devices on their networks using the Shodan or Censys internet scanning tools, as many EV chargers are inadvertently exposed to the public internet without proper firewall protection. A quick Shodan query reveals thousands of OCPP endpoints worldwide, a significant number of which belong to ABB Terra AC units.

Why EV Charger Security Matters

Electric vehicle chargers are no longer niche appliances; they are critical nodes in the energy grid. Compromised chargers could be enlisted into botnets for distributed denial-of-service attacks, used to manipulate electricity demand (potentially destabilizing the grid), or leveraged to exfiltrate payment card data from built-in payment terminals.

Moreover, many enterprises deploy EV chargers as part of their sustainability initiatives, integrating them with building management systems (BMS) and corporate IT networks. A single vulnerable charger can serve as an entry point for ransomware actors. In 2024, a similar OCPP vulnerability in another manufacturer’s charging stations led to a chain of intrusions that allowed attackers to move laterally from the charger to a Windows Server-based energy management system, ultimately encrypting files across the domain.

“Facility managers often treat EV chargers as simple electrical appliances, but they are Linux-based embedded computers with full network stacks,” said Dr. Emily Deng, a security researcher with EV CyberLabs. “They should be segmented away from production networks and monitored as rigorously as any OT device.”

CISA’s Mitigation Recommendations

In addition to applying the firmware update, CISA and ABB outlined several defense-in-depth measures:

  • Network Segmentation: Isolate EV charging infrastructure from business IT networks using VLANs or physically separate switches. Ensure that OCPP traffic flows through a dedicated firewall that restricts inbound connections to known management server IP addresses.
  • Disable Unnecessary OCPP Features: If remote configuration or firmware updates are not required, disable the corresponding OCPP operations. ABB’s guide explains how to lock down the OCPP profile via the charger’s local web interface.
  • Use Encrypted OCPP: Always enforce TLS 1.2 or 1.3 for OCPP communications. Without encryption, an attacker on the same network segment can inject malicious OCPP messages.
  • Implement Logging and Anomaly Detection: Forward charger logs to a SIEM and set up alerts for unusual OCPP payloads or unexpected reboots.
  • Apply Strong Access Controls: Change default credentials on the charger’s administration interface and employ certificate-based authentication for OCPP connections.

The Windows Angle: Securing the Management Backend

For Windows-focused IT teams, the real concern lies in the management systems that control these chargers. Popular EV charging management platforms—such as Driivz, GreenFlux, and ABB’s own Ability™ SaaS—often run on Windows Server, either on-premises or in Azure. If an attacker compromises a charger, they might manipulate OCPP responses to exploit vulnerabilities in the management software, leading to server-side code execution.

A historical example from 2023 involved an OCPP parser bug in a .NET-based management service that allowed a charger to send a specially crafted StartTransaction message that deserialized into arbitrary object instantiation, giving the attacker a foothold in the Windows domain. While CVE-2025-5517 is a firmware flaw, a compromised charger could be used to feed malicious data back to the Windows server, so administrators should ensure that the central management software is fully patched and that input validation is enforced on the server side, never trusting data from chargers.

To reduce the blast radius, run the charger management platform on a dedicated Windows Server instance not joined to the corporate domain, or use a hardened container environment. Enable Windows Defender Exploit Guard and Credential Guard, and configure audit policies to detect unusual process creation originating from the management service.

Additionally, Microsoft has released PowerShell tools for OCPP traffic monitoring that can be integrated into existing Windows Admin Center dashboards, providing a single pane of glass for both IT and operational technology (OT) assets.

Patching Challenges in the Field

Despite the severity, many charger operators cannot simply install an over-the-air update. EV chargers installed in public parking garages, shopping malls, and highway rest stops often rely on 4G cellular backhaul with data caps, making 50 MB firmware downloads problematic. Some sites have no on-site IT staff, requiring a truck roll for USB-based manual updates. ABB’s advisory provides a manual update procedure using a FAT32-formatted USB drive, which adds logistical overhead for fleet operators managing hundreds of chargers.

CISA strongly advises operators who cannot patch immediately to at least firewall the chargers and disable OCPP on the public internet interface. “Temporary mitigation is better than a preventable incident,” the agency stated.

A Growing Attack Surface

CVE-2025-5517 is not an isolated incident. The proliferation of smart EV chargers has exposed a vast and often unsecured attack surface. In 2022, researchers demonstrated that a buffer overflow in a ChargePoint home charger could be triggered by a malicious Wi-Fi network, leading to complete takeover. In 2024, an insecure firmware update mechanism in Webasto chargers allowed attackers to push persistent malware.

The Open Charge Alliance, which oversees the OCPP standard, has begun working on a security testing framework, but adoption is voluntary. Until regulatory mandates catch up—such as the UK’s upcoming Smart Charge Points legislation—responsibility falls on vendors and operators to proactively secure their devices.

What You Should Do Now

If your organization operates ABB Terra AC wallbox chargers:

  1. Inventory All Chargers: Use network scanning or ABB’s management tools to identify the firmware version of every unit. Prioritize internet-facing chargers.
  2. Apply the Patch: Download the latest firmware from ABB’s support portal (requires a login) and apply it using the recommended method.
  3. Verify the Update: After patching, confirm the firmware version via the charger’s web interface or OCPP getConfiguration.
  4. Harden Configurations: Implement the CISA-recommended network controls and disable unused services.
  5. Monitor for Exploitation Attempts: Look for logs showing anomalous OCPP message lengths or repeated reboot loops.
  6. Plan for Future Resilience: Integrate EV charger security into your vulnerability management program. Establish a regular patching cycle for IoT/OT devices.

The CISA advisory (ICSA-26-146-01) and ABB’s security notification are available for detailed technical guidance. The cybersecurity community expects further details and possible proof-of-concept exploits to surface within weeks, which could accelerate opportunistic attacks.

The Bigger Picture

The ABB Terra AC flaw underscores a systemic issue: as critical infrastructure becomes smarter and more connected, the software supply chain for embedded devices must be held to the same security rigor as traditional IT. EV chargers, much like building controllers and medical devices, are no longer insulated from cyber threats. For Windows-centric organizations, the message is clear: every node on your network, no matter how seemingly mundane, is a potential entry point. Treat them accordingly—or risk learning the hard way.

This incident also illustrates the growing collaboration between CISA and ICS vendors. By republishing the advisory, CISA amplifies awareness and provides a centralized resource for defenders. In the coming year, we can expect similar advisories as researchers continue to scrutinize EV charging protocols. For now, patching, segmentation, and vigilance remain the best defense against the next CVE to hit the headlines.