CVE-2021-22725
📋 TL;DR
This CSRF vulnerability in Schneider Electric EVlink charging stations allows attackers to perform unauthorized actions by tricking authenticated users into submitting malicious POST requests. Affected products include EVlink City, EVlink Parking, and EVlink Smart Wallbox models running firmware versions prior to R8 V3.4.0.2.
💻 Affected Systems
- EVlink City EVC1S22P4
- EVlink City EVC1S7P4
- EVlink Parking EVW2
- EVlink Parking EVF2
- EVlink Parking EVP2PE
- EVlink Smart Wallbox EVB1A
📦 What is this software?
Evb1a Firmware by Schneider Electric
Evc1s22p4 Firmware by Schneider Electric
Evc1s7p4 Firmware by Schneider Electric
Evf2 Firmware by Schneider Electric
Evp2pe Firmware by Schneider Electric
Evw2 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Attackers could remotely control charging stations, manipulate charging parameters, disable charging functionality, or potentially cause physical damage to connected vehicles.
Likely Case
Unauthorized configuration changes, service disruption, or billing manipulation through the charging station's web interface.
If Mitigated
With proper CSRF protections and network segmentation, impact is limited to configuration changes requiring authenticated sessions.
🎯 Exploit Status
Exploitation requires an authenticated user session and the ability to deliver malicious web content to the victim.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R8 V3.4.0.2
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-348-02
Restart Required: Yes
Instructions:
1. Download firmware R8 V3.4.0.2 from Schneider Electric portal. 2. Backup current configuration. 3. Upload and install firmware via web interface. 4. Reboot charging station. 5. Verify firmware version.
🔧 Temporary Workarounds
Network Segmentation
allIsolate charging stations from untrusted networks and user workstations
CSRF Token Implementation
allAdd CSRF tokens to web forms if custom web interface modifications are possible
🧯 If You Can't Patch
- Segment charging station network from general corporate network
- Implement strict access controls and monitor for unauthorized configuration changes
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or serial console. If version is earlier than R8 V3.4.0.2, system is vulnerable.Check Version:
Check via web interface at /cgi-bin/version or similar endpoint, or via serial console using appropriate vendor commands.Verify Fix Applied:
Verify firmware version shows R8 V3.4.0.2 or later in web interface or via serial console.📡 Detection & Monitoring
Log Indicators:
- Unexpected configuration changes
- Multiple failed login attempts followed by configuration modifications
- POST requests from unusual IP addresses
Network Indicators:
- HTTP POST requests to charging station web interface from non-admin workstations
- Cross-origin requests to charging station endpoints
SIEM Query:
source_ip NOT IN (admin_ips) AND dest_ip IN (charging_station_ips) AND http_method = POST