Improper Access Control Vulnerability in Heliox EV Chargers

Low Risk2.6SSA-126399Mar 10, 2026

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Heliox EV Chargers (Flex 180 kW and Mobile DC 40 kW models) contain improper access control in service endpoints that could allow an attacker with physical access to the charging cable to reach unauthorized services. Affected versions are Flex 180 kW versions below F4.11.1 and Mobile DC 40 kW versions below L4.10.1. Siemens recommends updating to the latest firmware versions via OTA update.

What this means

What could happen

An attacker with physical access to the charging cable could reach unauthorized services on the charger, potentially disrupting charging operations or accessing charger management functions without proper authentication.

Who's at risk

Electric utility operators and fleet charging network operators managing Heliox EV charging stations, particularly those with Flex 180 kW and Mobile DC 40 kW models deployed in public or semi-public locations where physical access to charging equipment is possible.

How it could be exploited

An attacker with physical access to the EV charging cable could bypass access controls to reach internal services running on the charger. This requires direct physical connection to the charging connector or cable.

Prerequisites

Physical access to the charging cable or connector
Knowledge of the exposed service endpoints

requires physical accesslow CVSS scoreaffects charging infrastructure availability

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Heliox Flex 180 kW EV Charging StationAll versions < F4.11.1F4.11.1

Heliox Mobile DC 40 kW EV Charging StationAll versions < L4.10.1L4.10.1

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Heliox Flex 180 kW to firmware version F4.11.1 or later via OTA update

HOTFIXUpdate Heliox Mobile DC 40 kW to firmware version L4.10.1 or later via OTA update

HOTFIXContact Siemens customer support to obtain and schedule OTA firmware updates

Long-term hardening

0/1

HARDENINGRestrict physical access to EV charging cables and connectors when chargers are not in use

CVEs (1)

CVE-2025-27769

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c361671a-c132-4f6e-820d-4e70b6f50aa7