Vestel AC Charger

Plan PatchCVSS 7.5ICS-CERT ICSA-25-114-03Apr 24, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AC Charger EVC04 versions 3.75.0 and earlier contain an information disclosure vulnerability that allows an attacker to extract sensitive credentials from the device without authentication. The vulnerability could enable attackers to cause denial of service or alter charger operations, and compromised credentials may be used to attack connected systems.

What this means

What could happen

An attacker with network access to the AC charger could steal sensitive information including credentials, potentially leading to unauthorized control over charging operations or denial of service. Compromised credentials could allow further attacks on connected utility or facility management systems.

Who's at risk

Electric utilities, charging station operators, fleet managers, and municipal facilities deploying Vestel AC Charger EVC04 units. This includes public charging networks, private fleets, and buildings with EV charging infrastructure.

How it could be exploited

An attacker on the network can access the web configuration interface of the AC charger without authentication. By exploiting information disclosure weaknesses, the attacker extracts stored credentials from the device or its configuration. These credentials can then be used to access other chargers, utility systems, or connected infrastructure.

Prerequisites

Network access to the AC charger's web configuration interface
The charger is running firmware version 3.75.0 or earlier
The charger is reachable from an untrusted network or connected without proper firewall segmentation

remotely exploitableno authentication requiredlow complexityinformation disclosure could enable lateral movement to utility systems

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

AC Charger EVC04: 3.75.03.75.03.187+

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDChange factory default username and password on the web configuration page

HARDENINGRestrict network access to the charger's web interface using firewall rules—allow only from authorized management networks or VPNs

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AC Charger EVC04 firmware to version 3.187 or later

Long-term hardening

0/1

HARDENINGUse a VPN for any remote access to charger management interfaces and keep VPN software updated

CVEs (1)

CVE-2025-3606

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/131fe70f-2d4d-4daf-bdfe-9b5538e9d6b8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.