CVE-2025-5826

25.06.2025, 18:15

Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Misinterpretation of Input Vulnerability. This vulnerability allows network-adjacent attackers to inject arbitrary AT commands on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the ble_process_esp32_msg function. The issue results from misinterpretation of input data. An attacker can leverage this vulnerability to execute AT commands in the context of the device. Was ZDI-CAN-26368.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.3 MEDIUM	ADJACENT_NETWORK	LOW	NONE	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
zdi	CNA	6.3 MEDIUM				CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-115 - Misinterpretation of Input
The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

References

https://www.zerodayinitiative.com/advisories/ZDI-25-345/