CVE-2021-22726
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Schneider Electric EVlink electric vehicle charging stations. An attacker can submit malicious parameters to the web server to make it perform unintended requests to internal or external systems. This affects EVlink City, EVlink Parking, and EVlink Smart Wallbox charging stations.
💻 Affected Systems
- EVlink City (EVC1S22P4)
- EVlink City (EVC1S7P4)
- EVlink Parking (EVW2)
- EVlink Parking (EVF2)
- EVlink Parking (EV.2)
- EVlink Smart Wallbox (EVB1A)
📦 What is this software?
Evlink City Evc1s22p4 Firmware by Schneider Electric
Evlink City Evc1s7p4 Firmware by Schneider Electric
Evlink Parking Ev.2 Firmware by Schneider Electric
Evlink Parking Evf2 Firmware by Schneider Electric
Evlink Parking Evw2 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
An attacker could use the charging station as a proxy to attack internal systems, access sensitive data from internal services, or perform network reconnaissance.
Likely Case
Attackers scanning for vulnerable charging stations could use them to probe internal networks or access metadata services in cloud environments.
If Mitigated
With proper network segmentation and the patch applied, the risk is limited to the charging station itself with no lateral movement capability.
🎯 Exploit Status
The vulnerability requires web server access but no authentication, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R8 V3.4.0.1
Vendor Advisory: http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06
Restart Required: Yes
Instructions:
1. Download firmware version R8 V3.4.0.1 from Schneider Electric portal. 2. Upload firmware to charging station via web interface. 3. Apply firmware update. 4. Reboot charging station to complete installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate charging stations on separate VLAN with restricted outbound access
Access Control
allRestrict web interface access to authorized management networks only
🧯 If You Can't Patch
- Segment charging stations on isolated network with no internet or internal network access
- Implement strict firewall rules to block all outbound traffic from charging stations except essential management traffic
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or management console. If version is earlier than R8 V3.4.0.1, the system is vulnerable.Check Version:
Access charging station web interface and navigate to System Information or Firmware Status pageVerify Fix Applied:
Confirm firmware version shows R8 V3.4.0.1 or later in the web interface or management console.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from charging station IP
- Multiple failed connection attempts to internal services
Network Indicators:
- Charging station making HTTP requests to unexpected internal IPs
- Traffic from charging station to non-standard ports
SIEM Query:
source_ip="charging_station_ip" AND (dest_port!=443 OR dest_port!=80) AND protocol="HTTP"