CVE-2021-22820 – This vulnerability allows attackers to maintain... (How to Fix)

Q: What is the severity of CVE-2021-22820?

CVE-2021-22820 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to maintain unauthorized access to EV charger web servers even after legitimate users change their passwords. Attackers can hijack active sessions and continue accessing the system. Affected products include Schneider Electric EVlink City, Parking, and Smart Wallbox chargers.

📋 TL;DR

This vulnerability allows attackers to maintain unauthorized access to EV charger web servers even after legitimate users change their passwords. Attackers can hijack active sessions and continue accessing the system. Affected products include Schneider Electric EVlink City, Parking, and Smart Wallbox chargers.

💻 Affected Systems

Products:

EVlink City EVC1S22P4
EVlink City EVC1S7P4
EVlink Parking EVW2
EVlink Parking EVF2
EVlink Parking EVP2PE
EVlink Smart Wallbox EVB1A

Versions: All versions prior to R8 V3.4.0.2

Operating Systems: Embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web server component of EV charging stations

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain persistent administrative access to EV charging infrastructure, potentially enabling manipulation of charging operations, data theft, or disruption of charging services.

🟠

Likely Case

Unauthorized access to charger management interfaces allowing configuration changes, user data viewing, or service disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though session hijacking remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires session hijacking capability but session management flaws make exploitation straightforward

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: R8 V3.4.0.2

Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-348-02

Restart Required: Yes

Instructions:

1. Download firmware R8 V3.4.0.2 from Schneider Electric portal. 2. Upload firmware to affected EV charger via management interface. 3. Apply firmware update. 4. Reboot charger to complete installation.

🔧 Temporary Workarounds

Network segmentation

all

Isolate EV charger management interfaces from untrusted networks

Session timeout reduction

all

Configure shorter session timeout values if available in management interface

🧯 If You Can't Patch

Implement strict network access controls to limit charger web interface access
Monitor for unusual session activity and implement regular password rotation

🔍 How to Verify

Check if Vulnerable:

Check firmware version in charger web interface. If version is prior to R8 V3.4.0.2, system is vulnerable.

Check Version:

Access charger web interface and navigate to System Information or Firmware Status page

Verify Fix Applied:

Confirm firmware version shows R8 V3.4.0.2 or later in management interface.

📡 Detection & Monitoring

Log Indicators:

Multiple active sessions from same user
Session activity continuing after password change
Unusual access patterns to management interface

Network Indicators:

Unexpected traffic to charger web ports (typically 80/443)
Session cookies being reused across different IP addresses

SIEM Query:

source="ev_charger_logs" AND (event="session_created" OR event="password_change") | stats count by user, session_id

📊 Metadata

CVE ID: CVE-2021-22820

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-613

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-348-02 Patch,Vendor Advisory
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-348-02 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22820, you might also want to check these: