CVE-2025-5750 in Level 2 EV Charger
Summary
by MITRE • 06/06/2025
WOLFBOX Level 2 EV Charger tuya_svc_devos_activate_result_parse Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the secKey, localKey, stdTimeZone and devId parameters. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26294.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/14/2025
The CVE-2025-5750 vulnerability represents a critical heap-based buffer overflow flaw in the WOLFBOX Level 2 EV Charger firmware, specifically within the tuya_svc_devos_activate_result_parse function. This vulnerability resides in the device's handling of security parameters including secKey, localKey, stdTimeZone, and devId, creating a remote code execution vector that can be exploited by network-adjacent attackers without requiring authentication. The vulnerability stems from inadequate input validation mechanisms that fail to properly check the length of user-supplied data before copying it into fixed-length heap-based buffers, a pattern that aligns with CWE-121, Heap-based Buffer Overflow, which is classified as a fundamental memory safety issue in software development practices. The attack surface is particularly concerning given that the device operates in environments where it may be accessible to unauthenticated network entities, making it a prime target for exploitation in IoT security contexts.
The technical exploitation of this vulnerability occurs when the device processes activation results from Tuya's cloud services, specifically when parsing the aforementioned security parameters. The flaw manifests when the device receives malformed data containing excessively long values for secKey, localKey, stdTimeZone, or devId parameters, causing the application to copy this oversized data into a predetermined heap buffer without sufficient bounds checking. This buffer overflow condition creates an opportunity for attackers to overwrite adjacent memory locations, potentially corrupting program execution flow and enabling arbitrary code execution with the privileges of the affected device process. The vulnerability's remote nature and lack of authentication requirements significantly amplifies its threat level, as it allows attackers to compromise device integrity from outside the physical security perimeter.
The operational impact of this vulnerability extends beyond simple device compromise, as it represents a fundamental failure in the device's security architecture that could enable attackers to gain persistent access to charging infrastructure. Once exploited, attackers could potentially manipulate charging parameters, access sensitive data stored on the device, or use the compromised charger as a pivot point to target other systems within the network. This vulnerability directly relates to ATT&CK technique T1059.007 for Command and Scripting Interpreter: PowerShell and T1071.004 for Application Layer Protocol: DNS, as attackers could leverage the compromised device to establish command and control channels or exfiltrate data through legitimate network protocols. The vulnerability also represents a failure in secure coding practices that should be addressed through proper input validation, bounds checking, and memory management protocols.
Mitigation strategies for CVE-2025-5750 should focus on immediate firmware updates from WOLFBOX, as the vendor has likely released patches addressing the buffer overflow conditions in the affected parsing functions. Network segmentation and access controls should be implemented to limit exposure of these devices to untrusted networks, while monitoring systems should be deployed to detect anomalous traffic patterns that might indicate exploitation attempts. Security teams should also consider implementing network-based intrusion detection systems that can identify malformed Tuya protocol traffic targeting these specific parameters. The vulnerability highlights the importance of secure coding practices and input validation in IoT device development, particularly for devices handling security credentials and network communications, as outlined in industry standards such as NIST SP 800-160 and ISO/IEC 27030 for secure software development lifecycle practices. Organizations should conduct comprehensive vulnerability assessments of their IoT infrastructure to identify similar issues in other connected devices that may be susceptible to similar buffer overflow conditions.