OTPulse

Schneider Electric EVlink Home Smart and Schneider Charge

Plan PatchCVSS 8.5ICS-CERT ICSA-25-023-03Oct 8, 2024
Schneider ElectricEnergyManufacturing
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Schneider Electric EVlink Home Smart and Schneider Charge electric vehicle charging stations contain a vulnerability that could disclose confidential information stored on the devices. The vulnerability is related to remote test equipment and test features present in production units. The disclosed information is limited to test data and does not include customer personal data, nor does it enable abuse of the charging stations themselves. Patches have been released and are being automatically deployed through the Wiser application connection.

What this means
What could happen
An attacker with local access to an EVlink Home Smart or Schneider Charge station could extract confidential information stored on the device, though the advisory indicates this vulnerability is limited to legacy test equipment data and does not affect customer personal data or enable abuse of the charging stations.
Who's at risk
Water authorities and electric utilities operating EVlink Home Smart or Schneider Charge electric vehicle charging infrastructure. This affects fleet charging stations and public/private charging networks that rely on Schneider Electric charging equipment.
How it could be exploited
An attacker with physical or local network access to the charging station could extract confidential information through exposed test features that are present in production units. This requires direct access to the device and its internal systems.
Prerequisites
  • Physical or local network access to the charging station
  • Device must not have been automatically updated via Wiser application connection
local access requiredaffects charging infrastructuretest/debug features left in production
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
EVlink Home Smart all<2.0.6.0.02.0.6.0.0
Schneider Charge all<1.13.41.13.4
Remediation & Mitigation
0/5
Do now
0/2
HOTFIXFor new installations, ensure eSetup commissioning application is used to enforce the patched firmware versions during deployment
HARDENINGCheck firmware version through Wiser application settings page to confirm all charging stations have been upgraded to the patched versions
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXVerify that EVlink Home Smart charging stations are connected to the Wiser application to enable automatic firmware upgrade to version 2.0.6.0.0 or later
HOTFIXVerify that Schneider Charge stations are connected to the Wiser application to enable automatic firmware upgrade to version 1.13.4 or later
Long-term hardening
0/1
HARDENINGRestrict physical and local network access to charging station hardware to authorized personnel only
View full CISA ICS-CERT advisory
API: /api/v1/advisories/f682def4-e150-4cae-8a9b-222fd84ef16e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.