Siemens VersiCharge AC Series EV Chargers

Plan PatchCVSS 8.8ICS-CERT ICSA-25-135-08May 13, 2025

Siemens

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens VersiCharge AC Series EV Chargers contain two vulnerabilities in default Modbus port access and M0 firmware validation. CVE-2025-31929 allows unauthenticated control of charger operations via Modbus TCP on port 502. CVE-2025-31930 allows arbitrary code execution by uploading malicious firmware without proper validation. Both affect dozens of single-phase (7.4 kW) and three-phase (22 kW) charger models in IEC, IEC ERK, and UL commercial/residential variants. Siemens has released firmware version 2.135 or later for some products; many models are marked as having no fix planned.

What this means

What could happen

An attacker with network access to these EV chargers could take control of charging operations, disable charging, or alter charging parameters. In a municipal fleet or utility-operated charging network, this could disrupt electric vehicle charging infrastructure at scale.

Who's at risk

Municipalities and utilities operating Siemens VersiCharge AC Series EV charging infrastructure should prioritize this. Affected products include both single-phase (7.4 kW IEC) and three-phase (22 kW IEC and UL commercial/residential) chargers. Any organization with VersiCharge equipment deployed in a public or fleet charging network is affected.

How it could be exploited

An attacker on the same network segment as the charger could send Modbus commands to port 502 (default Modbus TCP port) without authentication to control the device, or upload malicious firmware to the M0 processor by exploiting insufficient validation of firmware images.

Prerequisites

Network access to Modbus TCP port 502 on the affected charger
No authentication required for Modbus protocol access
For firmware exploitation: ability to upload a file to the charger's firmware update interface

remotely exploitableno authentication requiredlow complexityaffects critical infrastructure (EV charging networks)many products have no fix planned

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (66)

32 with fix34 pending

ProductAffected VersionsFix Status

IEC 1Ph 7.4kW Child socketAll versionsNo fix yet

IEC 1Ph 7.4kW Child socket< V2.1352.135

IEC 1Ph 7.4kW Child socket/ shutterAll versionsNo fix yet

IEC 1Ph 7.4kW Child socket/ shutter< V2.1352.135

IEC 1Ph 7.4kW Parent cable 7mAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDFor products without available patches, restrict network access to Modbus port 502 using firewall rules to allow only authorized engineering workstations and management systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected chargers to firmware version 2.135 or later where patches are available

Long-term hardening

0/3

HARDENINGIsolate EV charger management networks from general IT networks and untrusted network segments

HARDENINGImplement network segmentation so chargers can only communicate with authorized control systems and management servers

HARDENINGDisable remote firmware update capabilities on chargers if not operationally required, or restrict access to firmware update interfaces to authorized administrative networks only

CVEs (2)

CVE-2025-31929 CVE-2025-31930

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6aecddca-0592-4ebe-a68a-b8fc8c7d8196

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.