OTPulse
FeedAboutContact

EcoStruxure EV Charging Expert

Plan Patch8.2SEVD-2022-039-02Feb 8, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Schneider Electric's EcoStruxure EV Charging Expert contains multiple vulnerabilities that allow unauthorized access to the web server without authentication. Affected versions are earlier than SP8 (Version 01) V4.0.0.13. Successful exploitation could allow attackers to modify charger settings, alter user accounts, disable charging stations, intercept communications with the supervision system, and cause service outages. The vulnerability can be exploited remotely over the network. No special tools or high technical skill are required for exploitation.

What this means
What could happen
An attacker with network access to the EV charging management system could tamper with charger settings, disable charging stations, modify user accounts, or prevent communication with the supervision system, causing service interruptions and unauthorized charging use.
Who's at risk
Operators of EV charging infrastructure managed by EcoStruxure EV Charging Expert should prioritize this fix. The vulnerability affects load management, access control, and supervision systems for electric vehicle charging stations used by utilities and fleet operators. Any municipal or private organization operating networked EV charging infrastructure is at risk.
How it could be exploited
An attacker accesses the EcoStruxure web server over the network without authentication credentials. Once connected, the attacker can modify system settings, accounts, and charging station configurations, or trigger denial of service conditions that prevent normal charging operations.
Prerequisites
  • Network access to the EcoStruxure EV Charging Expert web server
  • No authentication required
remotely exploitableno authentication requiredlow complexityaffects service availabilityaffects charging infrastructure operations
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
EcoStruxure EV Charging<SP8 (Version 01) V4.0.0.13SP8 (Version 01) V4.0.0.13
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGEnsure EcoStruxure EV Charging Expert is not accessible from the internet; restrict network access to authorized internal networks only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure EV Charging Expert to SP8 (Version 01) V4.0.0.13 or later
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate EV charging management systems from untrusted networks
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/b749ff14-6237-4b60-9a66-f0c001c77795
EcoStruxure EV Charging Expert | CVSS 8.2 - OTPulse