CVE-2025-3606 – Vestel AC Charger version 3.75.0 contains an in... (How to Fix)

Q: What is the severity of CVE-2025-3606?

CVE-2025-3606 has a CVSS score of 7.5 (HIGH). Vestel AC Charger version 3.75.0 contains an information disclosure vulnerability that allows attackers to access files containing sensitive credentials. This could enable further compromise of the charging device. Organizations using affected Vestel AC Chargers are impacted.

📋 TL;DR

Vestel AC Charger version 3.75.0 contains an information disclosure vulnerability that allows attackers to access files containing sensitive credentials. This could enable further compromise of the charging device. Organizations using affected Vestel AC Chargers are impacted.

💻 Affected Systems

Products:

Vestel AC Charger

Versions: 3.75.0

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: Only version 3.75.0 is confirmed affected; other versions may also be vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain administrative credentials, gain full control of the charging device, and potentially pivot to other network systems.

🟠

Likely Case

Attackers access credential files and use them to compromise the charging device's management interface.

🟢

If Mitigated

Attackers can access files but find no sensitive information due to proper credential management and access controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Information disclosure vulnerabilities typically require minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://firebasestorage.googleapis.com/v0/b/vestel-shield.firebasestorage.app/o/PRODUCTION%2F1%2FVSA-1_R2.pdf?alt=media&token=8201f299-5014-4720-9200-f1b335736ac1

Restart Required: Yes

Instructions:

1. Contact Vestel for patch availability. 2. Apply patch when available. 3. Restart device after patching.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate AC chargers from internet and restrict internal network access

Credential Rotation

all

Change all credentials stored on affected devices

🧯 If You Can't Patch

Segment charging devices on isolated network segments
Implement strict firewall rules to limit access to charging devices

🔍 How to Verify

Check if Vulnerable:

Check device version via management interface; if version is 3.75.0, device is vulnerable.

Check Version:

Check via device management interface or console

Verify Fix Applied:

Verify version has been updated from 3.75.0 to a patched version.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns
Multiple failed authentication attempts followed by successful access

Network Indicators:

Unusual traffic to charging device management ports
Requests for sensitive file paths

SIEM Query:

source_ip='charging_device' AND (event_type='file_access' OR event_type='auth_success')

📊 Metadata

CVE ID: CVE-2025-3606

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-497

EPSS Score: 0.08% exploit probability (24.5th percentile)

Published: April 25, 2025

Last Updated: April 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3606, you might also want to check these: