Schneider Electric EVLink Parking

Act Now9.8ICS-CERT ICSA-19-031-01Jan 31, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric EVLink Parking units contain multiple critical vulnerabilities in firmware versions 3.2.0-12_v1 and earlier. These include hardcoded credentials (CWE-798), arbitrary code execution (CWE-94), and SQL injection (CWE-89) in the web interface. Successful exploitation allows an attacker to stop devices and prevent charging, execute arbitrary commands on the charging station, and access the management interface with full administrative privileges without authentication.

What this means

What could happen

An attacker can remotely disable charging operations on EVLink Parking units, execute arbitrary commands on the devices, or gain full administrative access to the web interface without authentication.

Who's at risk

Electric utilities and municipalities operating EV charging infrastructure, particularly EVLink Parking units in parking facilities, depots, or fleet charging operations. Affects parking lot operators and municipal EV charging networks.

How it could be exploited

An attacker on the network sends crafted requests to the EVLink Parking unit's web interface. Because there is no authentication requirement and command injection or hardcoded credential vulnerabilities exist, the attacker can execute arbitrary code or access administrative functions directly.

Prerequisites

Network access to the EVLink Parking unit (typically port 80/443 for web interface)
No valid credentials required

Remotely exploitableNo authentication requiredLow complexityCan stop charging operationsAllows arbitrary code executionDefault or hardcoded credentials

Exploitability

Moderate exploit probability (EPSS 7.0%)

Affected products (1)

ProductAffected VersionsFix Status

EVLink Parking:≤ 3.2.0-12 v1No fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDConfigure firewall rules to restrict remote access to EVLink Parking charging stations to authorized networks and IP addresses only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXDownload and install the software update from Schneider Electric's support site (https://www.schneider-electric.com/en/download/range/60850-EVlink Parking/)

Long-term hardening

0/3

HARDENINGIsolate the charging station network from the business network using a firewall or network segmentation

HARDENINGEnsure charging stations are not accessible directly from the Internet; require VPN or jump host for remote access

HARDENINGImplement physical access controls to prevent unauthorized connection to charging station management interfaces

CVEs (3)

CVE-2018-7800 CVE-2018-7801 CVE-2018-7802

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6063e5b2-d024-4997-ac73-c9975c873ee4