OTPulse
FeedAboutContact

Siemens Heliox EV Chargers

Low Risk3ICS-CERT ICSA-26-071-05Mar 12, 2026
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Heliox EV Charging Stations contain an improper access control vulnerability accessible via the charging cable connector. An attacker with physical access could bypass authentication to reach unauthorized services. Siemens is releasing firmware updates via OTA update.

What this means
What could happen
An attacker with physical access to the charging cable connector could bypass authentication controls and reach unauthorized diagnostic or management services on the charger, potentially allowing them to retrieve sensitive information or interfere with charging operations.
Who's at risk
Organizations operating Siemens Heliox DC fast-charging infrastructure should assess their fleets. This affects both the Heliox Flex 180 kW (used in public/commercial charging networks) and Heliox Mobile 40 kW (portable/fleet charging) stations. Any municipality or utility operating EV charging networks with these Siemens chargers is at risk.
How it could be exploited
An attacker physically connects to the charging station via the charging cable interface. By exploiting improper access control, they can reach backend services (such as diagnostics or remote management functions) that should be protected. The attack requires physical proximity to the charging station but does not require valid credentials or network access.
Prerequisites
  • Physical access to the Heliox charging station and its charging cable connector
  • Knowledge of the vulnerable service endpoints
Requires physical access to deviceAffects multiple product variantsNo patch currently availableDefault or improper access controls
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
Heliox Flex 180 kW EV Charging Station<F4.11.1No fix yet
Heliox Mobile DC 40 kW EV Charging Station<L4.10.1No fix yet
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict physical access to charging stations and charging cable connectors to authorized personnel only; use cable locks, protective enclosures, or monitored parking areas
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Siemens customer support to obtain and apply the latest firmware OTA (Over-The-Air) update for your Heliox charging stations
Long-term hardening
0/2
HARDENINGLocate EV charging station networks behind firewalls and isolate them from business networks and the internet
HARDENINGImplement physical security monitoring or surveillance of charging station locations
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3c6421dd-fa6d-4fcb-9d5c-089015b83579
Siemens Heliox EV Chargers | CVSS 3 - OTPulse