Critical Vulnerability in Vestel AC Charger Exposes EV Infrastructure to Cyber Threats

A recently disclosed vulnerability in the Vestel AC Charger, identified as CVE-2025-3606, underscores the persistent cybersecurity risks confronting the rapidly expanding electric vehicle (EV) charging infrastructure. As EV adoption accelerates globally, the security of charging stations becomes paramount to ensure the integrity and reliability of transportation systems.

Background on the Vulnerability

The vulnerability, CVE-2025-3606, affects the Vestel AC Charger EVC04 model running version 3.75.0. This flaw allows unauthorized access to sensitive system information, including credentials, which could be exploited to further compromise the device. The Cybersecurity and Infrastructure Security Agency (CISA) has assigned a Common Vulnerability Scoring System (CVSS) v4 base score of 8.7 to this vulnerability, indicating a high level of severity. (cisa.gov)

Technical Details

The vulnerability is categorized under CWE-497, which pertains to the exposure of sensitive system information to an unauthorized control sphere. Specifically, the flaw enables attackers to access files containing sensitive information, such as credentials, without authentication or user interaction. This unauthorized access can lead to denial-of-service attacks or partial loss of device integrity. (cisa.gov)

Implications and Impact

The exploitation of CVE-2025-3606 poses significant risks to the EV charging infrastructure:

• Service Disruption: Attackers could disable charging stations, leading to widespread service interruptions and undermining public confidence in EV infrastructure.
• Data Breach: Access to sensitive information could result in data breaches, compromising user privacy and potentially leading to identity theft.
• System Integrity: Unauthorized access to system credentials could allow attackers to alter device configurations, leading to operational anomalies or safety hazards.

Mitigation Strategies

To address this vulnerability, Vestel recommends the following actions:

• Firmware Update: Users should update the affected AC chargers to version 3.187 or higher to remediate the vulnerability. (cisa.gov)
• Network Security: Avoid using open networks for device communication. Implement secure methods like Virtual Private Networks (VPNs) for remote access, and ensure that connected devices maintain strong security measures.
• Credential Management: Change default usernames and passwords to strong, unique credentials. Remove any printed documents containing login information from online sources to prevent unauthorized access.

Broader Context

The discovery of CVE-2025-3606 highlights a broader issue within the Internet of Things (IoT) and Industrial Control Systems (ICS): the need for robust cybersecurity measures in critical infrastructure. As more devices become interconnected, the potential attack surface expands, necessitating proactive security strategies to safeguard against evolving cyber threats.

Conclusion

The CVE-2025-3606 vulnerability in the Vestel AC Charger serves as a critical reminder of the importance of cybersecurity in the EV charging ecosystem. Stakeholders, including manufacturers, operators, and users, must collaborate to implement comprehensive security measures, ensuring the resilience and trustworthiness of EV infrastructure in the face of increasing cyber threats.

• Vestel AC Charger | CISA
• CVE-2025-3606 - Detail CVSS, EPSS & CISA Kev | CVE Find
• Critical Vestel AC Charger Vulnerability Highlights EV Infrastructure Cyber Risks | Windows Forum
• CVE-2025-3606 - Overview, Insights & Trends | Intruder
• CVE-2025-3606 - vulnerability database | Vulners.com