Multiple critical security flaws have been identified in all versions of the Schneider Electric EVLink WallBox, which could allow attackers to gain remote control of the charging stations. The company has declared the product "end of life" and will not be issuing a patch, urging users to upgrade to a newer model.

The vulnerabilities, discovered by the Dutch Institute for Vulnerability Disclosure (DIVD), expose users to significant risks, including unauthorized access and manipulation of the charging process. The flaws are particularly concerning as they can be exploited remotely with low complexity, potentially impacting the transportation systems sector on a global scale.

The identified vulnerabilities include:

  • Path Traversal: This flaw could allow an unauthenticated user on the web server to manipulate file paths, potentially leading to arbitrary file writes. Another path traversal vulnerability could permit arbitrary file reads from the charging station, though this requires an authenticated session.
  • Cross-Site Scripting (XSS): An authenticated user can modify configuration parameters on the web server, leading to a stored cross-site scripting vulnerability in the report functionality.
  • OS Command Injection: This critical vulnerability could allow an attacker with an authenticated session to modify configuration parameters and gain remote control of the charging station.

Successful exploitation of these vulnerabilities could have severe consequences. An attacker could potentially take over the charging station, which could lead to service interruptions, unauthorized use of the charger, and manipulation of charging data. In a broader context, such vulnerabilities in electric vehicle supply equipment could even be leveraged to impact the electrical grid.

Schneider Electric has assigned CVE numbers to these vulnerabilities (CVE-2025-5740, CVE-2025-5741, CVE-2025-5742, and CVE-2025-5743) and has been transparent about the "end of life" status of the EVLink WallBox. The company will not provide a security fix and recommends that users replace the vulnerable devices with the EVLink Pro AC, which is not affected by these issues.

For users who choose to continue operating the EVLink WallBox, the DIVD and other cybersecurity entities recommend a series of mitigation measures:

  • Isolate the device: Ensure the charging station is not accessible from any untrusted network, such as the internet, public Wi-Fi, or visitor networks. Implementing network segmentation, like placing the device on a separate VLAN, is highly recommended.
  • Strengthen access control: Use a strong, unique password for the device and change it regularly.
  • Monitor activity: Regularly check the device's logs for any signs of abuse or unauthorized access.

This incident underscores the growing importance of cybersecurity in the expanding market of electric vehicles and smart home devices. As more of this technology is integrated into our daily lives, the need for secure development practices and timely vulnerability management from manufacturers becomes paramount. The Canadian Centre for Cyber Security has also issued an advisory, encouraging users to review Schneider Electric's notifications and implement the suggested mitigations.