LITEON IC48A and IC80A EV Chargers

Plan Patch7.5ICS-CERT ICSA-25-196-03Jul 15, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

LITEON IC48A and IC80A EV chargers contain an authentication bypass vulnerability (CWE-256) that allows an attacker with network access to read sensitive information without credentials. The vulnerability affects firmware versions prior to 01.00.20h (IC48A) and 01.01.13m (IC80A). LITEON has released patched firmware versions. No public exploitation has been reported. CVSS score 7.5 reflects high-severity information disclosure risk.

What this means

What could happen

An attacker with network access to the EV charger could read sensitive information such as operational data, configuration details, or credentials stored on the device, potentially enabling further attacks on the charging infrastructure or connected networks.

Who's at risk

Water authorities and municipal utilities operating LITEON IC48A and IC80A EV charging stations, particularly those managing fleet electric vehicle charging or public charging infrastructure. Any organization where these chargers are networked and reachable from untrusted network segments is at risk.

How it could be exploited

An attacker on the network sends requests to the EV charger without authentication to access sensitive data endpoints. The charger does not properly verify the requestor's authorization and returns confidential information that could include operational parameters, credentials, or system configuration.

Prerequisites

Network access to the EV charger IP address and relevant port
No authentication credentials required

remotely exploitableno authentication requiredlow complexityinformation disclosure of sensitive data

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

LITEON IC48A: <Firmware_01.00.19r<Firmware 01.00.19rFirmware 01.00.20h

LITEON IC80A: <Firmware_01.01.12e<Firmware 01.01.12eFirmware 01.01.13m

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate EV chargers behind a firewall and restrict network access to only authorized management interfaces

HARDENINGEnsure EV chargers are not directly accessible from the internet or untrusted networks

HARDENINGIf remote management is required, require VPN access with current security patches and strong authentication

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade LITEON IC48A to firmware version 01.00.20h or later

HOTFIXUpgrade LITEON IC80A to firmware version 01.01.13m or later

CVEs (1)

CVE-2025-7357

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9a5aeb20-3414-4b16-9545-7acbbfe5bfea