CVE-2025-5826

Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Misinterpretation of Input Vulnerability. This vulnerability allows network-adjacent attackers to inject arbitrary AT commands on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ble_process_esp32_msg function. The issue results from misinterpretation of input data. An attacker can leverage this vulnerability to execute AT commands in the context of the device. Was ZDI-CAN-26368.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector : AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploitability : 2.8 / Impact : 3.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.zerodayinitiative.com/advisories/ZDI-25-345/

Configurations

No configuration.

History

26 Jun 2025, 18:57

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-25 18:15

Updated : 2025-06-26 18:57

NVD link : CVE-2025-5826

Mitre link : CVE-2025-5826

CVE.ORG link : CVE-2025-5826

JSON object : View

Products Affected

No product.

CWE

CWE-115

Misinterpretation of Input

{"id": "CVE-2025-5826", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "zdi-disclosures@trendmicro.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2025-06-25T18:15:23.433", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-345/", "source": "zdi-disclosures@trendmicro.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "zdi-disclosures@trendmicro.com", "description": [{"lang": "en", "value": "CWE-115"}]}], "descriptions": [{"lang": "en", "value": "Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Misinterpretation of Input Vulnerability. This vulnerability allows network-adjacent attackers to inject arbitrary AT commands on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the ble_process_esp32_msg function. The issue results from misinterpretation of input data. An attacker can leverage this vulnerability to execute AT commands in the context of the device. Was ZDI-CAN-26368."}, {"lang": "es", "value": "Vulnerabilidad de interpretaci\u00f3n err\u00f3nea de datos de entrada en Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg. Esta vulnerabilidad permite a atacantes adyacentes a la red inyectar comandos AT arbitrarios en las instalaciones afectadas de las estaciones de carga Autel MaxiCharger AC Wallbox Commercial. No se requiere autenticaci\u00f3n para explotar esta vulnerabilidad. La falla espec\u00edfica se encuentra en la funci\u00f3n ble_process_esp32_msg. El problema se debe a la interpretaci\u00f3n err\u00f3nea de los datos de entrada. Un atacante puede aprovechar esta vulnerabilidad para ejecutar comandos AT en el contexto del dispositivo. Anteriormente, se denomin\u00f3 ZDI-CAN-26368."}], "lastModified": "2025-06-26T18:57:43.670", "sourceIdentifier": "zdi-disclosures@trendmicro.com"}