CVE-2021-22774
📋 TL;DR
This vulnerability allows attackers to recover user account credentials from Schneider Electric EVlink charging stations through dictionary attacks. The affected systems store passwords using unsalted one-way hashes, making them vulnerable to offline cracking. All EVlink City, EVlink Parking, and EVlink Smart Wallbox devices running versions prior to R8 V3.4.0.1 are impacted.
💻 Affected Systems
- EVlink City (EVC1S22P4)
- EVlink City (EVC1S7P4)
- EVlink Parking (EVW2)
- EVlink Parking (EVF2)
- EVlink Parking (EV.2)
- EVlink Smart Wallbox (EVB1A)
📦 What is this software?
Evlink City Evc1s22p4 Firmware by Schneider Electric
Evlink City Evc1s7p4 Firmware by Schneider Electric
Evlink Parking Ev.2 Firmware by Schneider Electric
Evlink Parking Evf2 Firmware by Schneider Electric
Evlink Parking Evw2 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to charging stations, potentially disrupting charging services, manipulating billing data, or accessing connected networks.
Likely Case
Attackers compromise user accounts to access charging services without payment or gather credential data for further attacks.
If Mitigated
With proper network segmentation and monitoring, impact is limited to credential exposure without broader system compromise.
🎯 Exploit Status
Exploitation requires access to password hashes, which may be obtained through other vulnerabilities or physical access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R8 V3.4.0.1
Vendor Advisory: http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06
Restart Required: Yes
Instructions:
1. Download firmware version R8 V3.4.0.1 from Schneider Electric portal. 2. Follow manufacturer's firmware update procedure for your specific EVlink model. 3. Verify successful update and restart device.
🔧 Temporary Workarounds
Network segmentation
allIsolate charging stations from critical networks and limit access to management interfaces.
Strong password policy
allEnforce complex, unique passwords for all user accounts to reduce dictionary attack effectiveness.
🧯 If You Can't Patch
- Implement network access controls to restrict management interface access to authorized IPs only.
- Monitor authentication logs for failed login attempts and implement account lockout policies.
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or management console. If version is earlier than R8 V3.4.0.1, device is vulnerable.Check Version:
Check via web interface: Login to device management portal and navigate to System Information or About page.Verify Fix Applied:
Confirm firmware version shows R8 V3.4.0.1 or later in device management interface.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from single source
- Successful logins from unusual locations or times
Network Indicators:
- Unusual traffic patterns to charging station management ports
- Brute-force attack patterns against authentication endpoints
SIEM Query:
source="evlink" AND (event_type="auth_failure" AND count > 10 within 5min) OR (event_type="auth_success" AND user="admin" AND src_ip NOT IN allowed_ips)