CVE-2025-5826

Q: What is the severity of CVE-2025-5826?

CVE-2025-5826 has a CVSS score of 6.3 (MEDIUM). This vulnerability allows attackers within Bluetooth range to send arbitrary AT commands to Autel MaxiCharger AC Wallbox Commercial charging stations without authentication. The flaw exists in how the device processes Bluetooth messages, potentially enabling remote code execution. Affected installations of these commercial EV charging stations are at risk.

6.3 MEDIUM

Remote Code Execution

📋 TL;DR

This vulnerability allows attackers within Bluetooth range to send arbitrary AT commands to Autel MaxiCharger AC Wallbox Commercial charging stations without authentication. The flaw exists in how the device processes Bluetooth messages, potentially enabling remote code execution. Affected installations of these commercial EV charging stations are at risk.

💻 Affected Systems

Products:

Autel MaxiCharger AC Wallbox Commercial

Versions: Specific versions not publicly disclosed in available references

Operating Systems: Embedded firmware on ESP32-based charging stations

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations appear vulnerable as authentication is not required. Requires attacker to be within Bluetooth range.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to disable charging, manipulate billing data, cause electrical damage, or use the device as an entry point to the broader network.

🟠

Likely Case

Disruption of charging services, unauthorized access to device functions, or collection of sensitive user/vehicle data.

🟢

If Mitigated

Limited impact if Bluetooth access is restricted and devices are isolated from critical networks.

🌐 Internet-Facing: LOW (requires physical proximity via Bluetooth)

🏢 Internal Only: MEDIUM (requires attacker to be within Bluetooth range of the charging station)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No authentication required, but requires Bluetooth proximity and knowledge of AT command structure. ZDI-CAN-26368 suggests coordinated disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not yet released

Vendor Advisory: Not available at time of analysis

Restart Required: Yes

Instructions:

1. Monitor Autel security advisories. 2. Apply firmware update when available. 3. Restart charging stations after update.

🔧 Temporary Workarounds

Disable Bluetooth when not needed

all

Turn off Bluetooth functionality on charging stations if not required for normal operation

Physical access control

all

Restrict physical access to charging station locations to prevent attackers from getting within Bluetooth range

🧯 If You Can't Patch

Segment charging station network from critical infrastructure
Implement physical security controls to limit Bluetooth proximity access

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against vendor advisory when available. Currently no public verification method.

Check Version:

Check through device management interface or physical display - specific command not documented

Verify Fix Applied:

Verify firmware version matches patched version from vendor advisory

📡 Detection & Monitoring

Log Indicators:

Unusual Bluetooth connection attempts
AT command execution in device logs
Unexpected device behavior or reboots

Network Indicators:

Bluetooth traffic to charging stations from unauthorized devices
Unusual network traffic from charging stations

SIEM Query:

Not applicable - primarily requires physical/Bluetooth monitoring rather than network SIEM

📊 Metadata

CVE ID: CVE-2025-5826

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-115

EPSS Score: 0.03% exploit probability (7.3th percentile)

Published: June 25, 2025

Last Updated: September 10, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-345/ Third Party Advisory