EVlink City / Parking / Smart Wallbox Charging Stations
Act Now9.3SEVD-2021-348-02Dec 14, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Schneider Electric EVlink City, Parking, and Smart Wallbox charging stations contain multiple vulnerabilities affecting access control and authentication. Exploitation requires either physical access to the charging station's internal communication port (via disassembly) or network access to a connected supervision system, particularly if exposed to the internet. Successful exploitation allows an attacker to gain unauthorized access to the web server and modify charging station settings, accounts, and configurations, leading to potential denial of service, unauthorized charging usage, charging data loss, and unauthorized disclosure of station settings.
What this means
What could happen
An attacker with physical access to the charging station's internal port or network access to a connected, internet-exposed station could gain unauthorized access to the web server and modify charging settings, accounts, or deny service—disrupting EV charging operations and potentially preventing billing data from reaching the supervision system.
Who's at risk
Energy utilities and facility operators responsible for EV charging infrastructure, including those managing private charging stations, semi-public parking facilities, and on-street charging networks. Any organization deploying EVlink City, Parking, or Smart Wallbox stations—particularly those connected to supervision systems or accessible over the internet.
How it could be exploited
An attacker either disassembles the charging station enclosure to access the internal communication port, or exploits network connectivity if the station is connected to a supervision system and exposed to the internet. Once they reach the web server, they can modify station settings or accounts due to insufficient access controls and weak authentication mechanisms.
Prerequisites
- Physical access to the charging station enclosure to reach the internal communication port, OR
- Network access to a charging station connected to a supervision system (especially if exposed to the internet)
- No valid credentials required to access the web server
remotely exploitable (if charging station connected to internet-facing supervision system)no authentication requiredlow complexity attack (web server access)high CVSS (9.3)affects EV charging operations and revenue systemsno patch available for EVlink City and Smart Wallbox
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (3)
1 with fix1 pending1 EOL
ProductAffected VersionsFix Status
EVlink City<R8(3.4.0.2)No fix (EOL)
EVlink Parking<R8(3.4.0.2)R8(3.4.0.2)
EVlink Wallbox<R8(3.4.0.2)No fix yet
Remediation & Mitigation
0/5
Do now
0/2HARDENINGEnsure charging stations are not accessible from the internet; implement network segmentation to restrict access to supervision system networks
HARDENINGApply network security best practices (firewall rules, VPN, access controls) to limit exposure of charging station supervision systems
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
EVlink Parking
HOTFIXUpdate EVlink Parking firmware to R8 V3.4.0.2 or later (electronic board and commissioning tool version 3400-2 or newer)
EVlink City
HOTFIXFor EVlink City and Smart Wallbox: monitor Schneider Electric for future firmware updates addressing these vulnerabilities
Mitigations - no patch available
0/1EVlink City has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGPhysically secure charging station enclosures to prevent unauthorized disassembly and access to internal communication ports
CVEs (7)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/500f8fc0-403c-4fe1-a94e-840615c934eb