EcoStruxure EV Charging Expert

Plan PatchCVSS 8.2SEVD-2022-039-02Feb 8, 2022

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric's EcoStruxure EV Charging Expert contains multiple vulnerabilities that allow unauthorized access to the web server without authentication. Affected versions are earlier than SP8 (Version 01) V4.0.0.13. Successful exploitation could allow attackers to modify charger settings, alter user accounts, disable charging stations, intercept communications with the supervision system, and cause service outages. The vulnerability can be exploited remotely over the network. No special tools or high technical skill are required for exploitation.

What this means

What could happen

An attacker with network access to the EV charging management system could tamper with charger settings, disable charging stations, modify user accounts, or prevent communication with the supervision system, causing service interruptions and unauthorized charging use.

Who's at risk

Operators of EV charging infrastructure managed by EcoStruxure EV Charging Expert should prioritize this fix. The vulnerability affects load management, access control, and supervision systems for electric vehicle charging stations used by utilities and fleet operators. Any municipal or private organization operating networked EV charging infrastructure is at risk.

How it could be exploited

An attacker accesses the EcoStruxure web server over the network without authentication credentials. Once connected, the attacker can modify system settings, accounts, and charging station configurations, or trigger denial of service conditions that prevent normal charging operations.

Prerequisites

Network access to the EcoStruxure EV Charging Expert web server
No authentication required

remotely exploitableno authentication requiredlow complexityaffects service availabilityaffects charging infrastructure operations

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

EcoStruxure EV Charging<SP8 (Version 01) V4.0.0.13SP8 (Version 01) V4.0.0.13

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGEnsure EcoStruxure EV Charging Expert is not accessible from the internet; restrict network access to authorized internal networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure EV Charging Expert to SP8 (Version 01) V4.0.0.13 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate EV charging management systems from untrusted networks

CVEs (1)

CVE-2022-22808

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b749ff14-6237-4b60-9a66-f0c001c77795

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.