CVE-2021-22707
📋 TL;DR
This vulnerability involves hard-coded administrative credentials in Schneider Electric EVlink charging stations, allowing attackers to issue unauthorized commands with full administrative privileges. Affected systems include EVlink City, EVlink Parking, and EVlink Smart Wallbox charging stations running versions prior to R8 V3.4.0.1.
💻 Affected Systems
- EVlink City (EVC1S22P4 / EVC1S7P4)
- EVlink Parking (EVW2 / EVF2 / EV.2)
- EVlink Smart Wallbox (EVB1A)
📦 What is this software?
Evlink City Evc1s22p4 Firmware by Schneider Electric
Evlink City Evc1s7p4 Firmware by Schneider Electric
Evlink Parking Ev.2 Firmware by Schneider Electric
Evlink Parking Evf2 Firmware by Schneider Electric
Evlink Parking Evw2 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of charging station functionality, enabling attackers to disable charging, manipulate billing, cause physical damage through electrical manipulation, or use the station as an entry point into connected networks.
Likely Case
Unauthorized administrative access allowing attackers to disrupt charging operations, steal electricity, or gather sensitive user data from the charging station.
If Mitigated
Limited impact if stations are isolated on separate networks with strict firewall rules and network segmentation preventing external access.
🎯 Exploit Status
Exploitation requires only knowledge of the hard-coded credentials and network access to the charging station's web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R8 V3.4.0.1
Vendor Advisory: http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06
Restart Required: Yes
Instructions:
1. Download firmware version R8 V3.4.0.1 from Schneider Electric's website. 2. Follow the vendor's firmware update procedure for your specific EVlink model. 3. Verify the update completed successfully. 4. Change any default passwords after updating.
🔧 Temporary Workarounds
Network Segmentation
allIsolate charging stations on separate VLANs with strict firewall rules preventing external access to the web interface.
Access Control Lists
allImplement IP-based access control to restrict web interface access to authorized management systems only.
🧯 If You Can't Patch
- Segment charging stations on isolated networks with no internet access
- Implement strict firewall rules blocking all external access to charging station management interfaces
🔍 How to Verify
Check if Vulnerable:
Check firmware version via the charging station's web interface or management console. If version is earlier than R8 V3.4.0.1, the system is vulnerable.Check Version:
Access the charging station's web interface and navigate to System Information or Firmware Status page.Verify Fix Applied:
Confirm firmware version is R8 V3.4.0.1 or later via the web interface or management console.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login with default credentials
- Unauthorized configuration changes
- Unusual administrative activity outside normal hours
Network Indicators:
- External IP addresses accessing charging station web interfaces
- Traffic to charging station management ports from unauthorized sources
SIEM Query:
source_ip IN (external_ips) AND dest_port=80 AND (user_agent CONTAINS 'admin' OR uri_path CONTAINS 'login') AND status_code=200