Vestel AC Charger

Plan Patch7.5ICS-CERT ICSA-25-114-03Apr 24, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Vestel AC Charger EVC04 contains a vulnerability (CWE-497) that allows an attacker with network access to retrieve sensitive information, including web interface credentials, from the device. These credentials can be used to modify charger operations or cause denial of service. Current firmware version 3.75.0 is affected and has no update path from Vestel.

What this means

What could happen

An attacker could intercept sensitive information including credentials from the AC charger's web interface, then use those credentials to modify charging behavior or stop the charger from operating.

Who's at risk

Electric vehicle (EV) charging operators and facilities with Vestel AC Charger EVC04 units, including commercial charging networks, municipal charging stations, and private fleet charging sites. Anyone managing or maintaining these chargers should be aware of the credential exposure risk.

How it could be exploited

An attacker with network access to the AC charger could send crafted requests to the web configuration interface to extract credentials or other sensitive data. Once credentials are obtained, the attacker could log in and modify charger settings or disable charging functionality.

Prerequisites

Network access to the AC charger's web interface (port 80/443 or similar)
The charger must be reachable from the attacker's network or the internet
Factory default credentials have not been changed

Remotely exploitableNo authentication required to extract sensitive dataLow complexity attackDefault credentials commonly known or publishedNo patch available for current versions below 3.187

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

AC Charger EVC04: 3.75.03.75.03.187 or later

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDForce all AC charger users to change factory default username and password immediately

WORKAROUNDRemove installation guides and quick start guides containing login credentials from public web access

HARDENINGRestrict network access to AC charger web interface; allow only from trusted engineering networks or VPNs

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AC Charger EVC04 firmware to version 3.187 or later

Long-term hardening

0/1

HARDENINGDeploy VPN for any required remote access to chargers; keep VPN software updated

CVEs (1)

CVE-2025-3606

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/131fe70f-2d4d-4daf-bdfe-9b5538e9d6b8