EVlink City / Parking / Smart Wallbox Charging Stations

Plan PatchCVSS 9.3SEVD-2021-348-02Dec 14, 2021

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric EVlink City, Parking, and Smart Wallbox charging stations contain multiple vulnerabilities affecting access control and authentication. Exploitation requires either physical access to the charging station's internal communication port (via disassembly) or network access to a connected supervision system, particularly if exposed to the internet. Successful exploitation allows an attacker to gain unauthorized access to the web server and modify charging station settings, accounts, and configurations, leading to potential denial of service, unauthorized charging usage, charging data loss, and unauthorized disclosure of station settings.

What this means

What could happen

An attacker with physical access to the charging station's internal port or network access to a connected, internet-exposed station could gain unauthorized access to the web server and modify charging settings, accounts, or deny service—disrupting EV charging operations and potentially preventing billing data from reaching the supervision system.

Who's at risk

Energy utilities and facility operators responsible for EV charging infrastructure, including those managing private charging stations, semi-public parking facilities, and on-street charging networks. Any organization deploying EVlink City, Parking, or Smart Wallbox stations—particularly those connected to supervision systems or accessible over the internet.

How it could be exploited

An attacker either disassembles the charging station enclosure to access the internal communication port, or exploits network connectivity if the station is connected to a supervision system and exposed to the internet. Once they reach the web server, they can modify station settings or accounts due to insufficient access controls and weak authentication mechanisms.

Prerequisites

Physical access to the charging station enclosure to reach the internal communication port, OR
Network access to a charging station connected to a supervision system (especially if exposed to the internet)
No valid credentials required to access the web server

remotely exploitable (if charging station connected to internet-facing supervision system)no authentication requiredlow complexity attack (web server access)high CVSS (9.3)affects EV charging operations and revenue systemsno patch available for EVlink City and Smart Wallbox

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (3)

1 with fix1 pending1 EOL

ProductAffected VersionsFix Status

EVlink City<R8(3.4.0.2)No fix (EOL)

EVlink Parking<R8(3.4.0.2)R8(3.4.0.2)

EVlink Wallbox<R8(3.4.0.2)No fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGEnsure charging stations are not accessible from the internet; implement network segmentation to restrict access to supervision system networks

HARDENINGApply network security best practices (firewall rules, VPN, access controls) to limit exposure of charging station supervision systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

EVlink Parking

HOTFIXUpdate EVlink Parking firmware to R8 V3.4.0.2 or later (electronic board and commissioning tool version 3400-2 or newer)

EVlink City

HOTFIXFor EVlink City and Smart Wallbox: monitor Schneider Electric for future firmware updates addressing these vulnerabilities

Mitigations - no patch available

0/1

EVlink City has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPhysically secure charging station enclosures to prevent unauthorized disassembly and access to internal communication ports

CVEs (7)

CVE-2021-22724 CVE-2021-22725 CVE-2021-22818 CVE-2021-22819 CVE-2021-22820 CVE-2021-22821 CVE-2021-22822

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/500f8fc0-403c-4fe1-a94e-840615c934eb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.