CVE-2021-22729
📋 TL;DR
This vulnerability allows attackers to gain administrative access to Schneider Electric EVlink charging stations by exploiting hard-coded passwords in the web server. Affected products include EVlink City, EVlink Parking, and EVlink Smart Wallbox charging stations running versions prior to R8 V3.4.0.1.
💻 Affected Systems
- EVlink City (EVC1S22P4, EVC1S7P4)
- EVlink Parking (EVW2, EVF2, EV.2)
- EVlink Smart Wallbox (EVB1A)
📦 What is this software?
Evlink City Evc1s22p4 Firmware by Schneider Electric
Evlink City Evc1s7p4 Firmware by Schneider Electric
Evlink Parking Ev.2 Firmware by Schneider Electric
Evlink Parking Evf2 Firmware by Schneider Electric
Evlink Parking Evw2 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of charging station allowing attackers to disable charging, manipulate billing, access connected networks, or cause physical damage through electrical manipulation.
Likely Case
Unauthorized administrative access enabling attackers to disrupt charging operations, steal user data, or use the station as an entry point to connected networks.
If Mitigated
Limited impact if stations are isolated from critical networks and monitored for unauthorized access attempts.
🎯 Exploit Status
Exploitation requires only knowledge of the hard-coded password and network access to the web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R8 V3.4.0.1
Vendor Advisory: http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06
Restart Required: Yes
Instructions:
1. Download firmware R8 V3.4.0.1 from Schneider Electric portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface. 4. Verify installation and restore configuration if needed.
🔧 Temporary Workarounds
Network Isolation
allIsolate charging stations from internet and critical internal networks using VLANs or firewalls.
Access Control Lists
allRestrict web interface access to authorized management IP addresses only.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate charging stations from critical systems
- Monitor for unauthorized access attempts and implement alerting for administrative login events
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface under System Information. If version is earlier than R8 V3.4.0.1, system is vulnerable.Check Version:
Access web interface and navigate to System Information pageVerify Fix Applied:
Verify firmware version shows R8 V3.4.0.1 or later in System Information. Test that hard-coded password no longer works.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login
- Administrative access from unexpected IP addresses
- Configuration changes without authorized change tickets
Network Indicators:
- HTTP requests to /login or administrative endpoints from unauthorized sources
- Unusual outbound connections from charging stations
SIEM Query:
source="evlink_web_logs" AND (event="login_success" OR event="admin_access") AND NOT src_ip IN authorized_management_ips