CVE-2025-31930
📋 TL;DR
This vulnerability affects Siemens EV chargers with Modbus service enabled by default, allowing attackers on the same network to remotely control charging operations. All listed Siemens EV charger models with firmware versions below V2.135 are affected.
💻 Affected Systems
- IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0)
- IEC 1Ph 7.4kW Child socket/shutter (8EM1310-2EN04-0GA0)
- IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1)
- IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2)
- IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1)
- IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2)
- IEC 1Ph 7.4kW Parent socket/shutter (8EM1310-2EN04-3GA1)
- IEC 1Ph 7.4kW Parent socket/shutter SIM (8EM1310-2EN04-3GA2)
- IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0)
- IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0)
- IEC 3Ph 22kW Child socket/shutter (8EM1310-3EN04-0GA0)
- IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1)
- IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2)
- IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1)
- IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2)
- IEC 3Ph 22kW Parent socket/shutter (8EM1310-3EN04-3GA1)
- IEC 3Ph 22kW Parent socket/shutter SIM (8EM1310-3EN04-3GA2)
- IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0)
- IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1)
- IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2)
- IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0)
- IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1)
- IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2)
- UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2)
- UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0)
- UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0)
- UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0)
- UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2)
- UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2)
- UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2)
- UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2)
- UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1)
- UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2)
- UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2)
- UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2)
- VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could remotely control EV chargers to cause electrical damage, disrupt charging infrastructure, manipulate billing, or create safety hazards through unauthorized power manipulation.
Likely Case
Attackers could disrupt charging operations, cause service outages, manipulate charging schedules, or access sensitive charger data.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated network segments with minimal operational disruption.
🎯 Exploit Status
Exploitation requires network access to the device but no authentication. Standard Modbus tools can be used for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V2.135
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-556937.html
Restart Required: Yes
Instructions:
1. Download firmware V2.135 from Siemens support portal. 2. Follow Siemens firmware update procedures for the specific EV charger model. 3. Verify successful update and restart the device.
🔧 Temporary Workarounds
Network Segmentation
allIsolate EV chargers on separate VLANs with strict firewall rules blocking Modbus traffic (TCP port 502) from unauthorized networks.
Disable Modbus Service
allIf Modbus functionality is not required, disable the Modbus service through device configuration interface.
🧯 If You Can't Patch
- Implement strict network access controls allowing only authorized management systems to communicate with EV chargers
- Deploy network monitoring to detect unauthorized Modbus traffic and connection attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version through management interface or physical display. If version is below V2.135, device is vulnerable.Check Version:
Check via Siemens management interface or device display - no universal command availableVerify Fix Applied:
Verify firmware version shows V2.135 or higher after update. Test Modbus connectivity from unauthorized networks should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthorized Modbus connection attempts
- Unexpected configuration changes to EV chargers
- Failed authentication attempts to management interfaces
Network Indicators:
- Modbus traffic (TCP port 502) from unauthorized IP addresses
- Unusual Modbus function codes or register writes
- Traffic patterns inconsistent with normal charging operations
SIEM Query:
source_ip NOT IN (authorized_management_ips) AND dest_port=502 AND protocol=TCP