CVE-2025-6678

Q: What is the severity of CVE-2025-6678?

CVE-2025-6678 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to access sensitive information from Autel MaxiCharger AC Wallbox Commercial charging stations without authentication. The flaw exists in the Pile API, enabling credential disclosure that could lead to further system compromise. All installations using affected versions are vulnerable.

7.5 HIGH

Authentication Bypass

📋 TL;DR

This vulnerability allows remote attackers to access sensitive information from Autel MaxiCharger AC Wallbox Commercial charging stations without authentication. The flaw exists in the Pile API, enabling credential disclosure that could lead to further system compromise. All installations using affected versions are vulnerable.

💻 Affected Systems

Products:

Autel MaxiCharger AC Wallbox Commercial

Versions: Specific versions not disclosed in advisory; all versions with vulnerable Pile API implementation

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable as authentication is completely missing from the affected API endpoint.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative credentials, take full control of charging stations, manipulate charging operations, access connected networks, or cause physical damage through electrical manipulation.

🟠

Likely Case

Attackers harvest credentials and sensitive configuration data, potentially enabling unauthorized charging, billing fraud, or lateral movement to other systems.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to credential exposure requiring rotation and potential charging station configuration changes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No authentication required makes exploitation trivial; attackers only need network access to the charging station's API endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available references

Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-342/

Restart Required: Yes

Instructions:

1. Contact Autel for firmware update addressing CVE-2025-6678
2. Download latest firmware from Autel support portal
3. Apply firmware update following manufacturer instructions
4. Restart charging station to activate fixes

🔧 Temporary Workarounds

Network Segmentation

all

Isolate charging stations from untrusted networks and internet access

Firewall Rules

all

Restrict access to charging station management interfaces to authorized IPs only

🧯 If You Can't Patch

Segment charging stations on dedicated VLAN with strict firewall rules
Implement network monitoring for unusual API access patterns

🔍 How to Verify

Check if Vulnerable:

Test if Pile API endpoints are accessible without authentication by attempting to access management functions

Check Version:

Check firmware version through charging station web interface or management console

Verify Fix Applied:

Verify authentication is required for all Pile API endpoints after patch installation

📡 Detection & Monitoring

Log Indicators:

Unauthenticated API access to Pile endpoints
Multiple failed authentication attempts followed by successful unauthenticated access

Network Indicators:

Unusual traffic patterns to charging station API ports from unauthorized sources
Credential harvesting patterns in network traffic

SIEM Query:

source_ip NOT IN authorized_ips AND destination_port IN [charging_station_ports] AND protocol = http

📊 Metadata

CVE ID: CVE-2025-6678

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-306

EPSS Score: 0.21% exploit probability (43.4th percentile)

Published: June 25, 2025

Last Updated: September 10, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-342/ Third Party Advisory