LITEON IC48A and IC80A EV Chargers

Plan PatchCVSS 7.5ICS-CERT ICSA-25-196-03Jul 15, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

LITEON IC48A (firmware versions before 01.00.20h) and IC80A (firmware versions before 01.01.13m) contain an information disclosure vulnerability that allows unauthenticated attackers with network access to retrieve sensitive information from the devices. The vulnerability allows access to configuration, authentication credentials, or other sensitive data without prior authentication.

What this means

What could happen

An attacker with network access to an EV charger could read sensitive configuration, authentication, or operational data from the device, potentially exposing credentials or system settings that could be used for further attacks.

Who's at risk

LITEON EV charger operators, particularly charging station operators and fleet managers managing IC48A and IC80A models. This affects any organization that relies on these chargers for public or private electric vehicle charging infrastructure.

How it could be exploited

An attacker on the same network as a LITEON EV charger (or with internet access if the charger is exposed) can send network requests to retrieve sensitive information stored in the device's memory or configuration without needing credentials or authentication.

Prerequisites

Network access to the EV charger (can be from the same network or internet if the charger is publicly exposed)
No authentication or credentials required

Remotely exploitableNo authentication requiredLow complexity exploitationInformation disclosure (credential or configuration exposure)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

LITEON IC48A: <Firmware_01.00.19r<Firmware 01.00.19rFirmware 01.00.20h

LITEON IC80A: <Firmware_01.01.12e<Firmware 01.01.12eFirmware 01.01.13m

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to EV chargers to authorized devices and networks only; do not expose chargers directly to the internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate LITEON IC48A to firmware version 01.00.20h or later

HOTFIXUpdate LITEON IC80A to firmware version 01.01.13m or later

Long-term hardening

0/2

HARDENINGPlace EV chargers behind a firewall and isolate them from general business networks; keep them on a separate or secured OT network segment

HARDENINGIf remote management or access is required, enforce use of VPN or similar secure tunnel; ensure VPN is running current software patches

CVEs (1)

CVE-2025-7357

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9a5aeb20-3414-4b16-9545-7acbbfe5bfea

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.