CVE-2025-5827 in MaxiCharger AC Wallbox Commercial
Summary
by MITRE • 06/25/2025
Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Wallbox Commercial EV chargers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the ble_process_esp32_msg function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26369.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/10/2025
The CVE-2025-5827 vulnerability represents a critical stack-based buffer overflow flaw in the Autel MaxiCharger AC Wallbox Commercial electric vehicle charging station. This device operates as a network-connected endpoint that handles Bluetooth Low Energy communications through an ESP32 microcontroller, making it susceptible to remote exploitation without authentication requirements. The vulnerability specifically affects the ble_process_esp32_msg function which processes incoming Bluetooth messages from adjacent network devices. The flaw stems from inadequate input validation where user-supplied data lengths are not properly checked before being copied into a fixed-size stack buffer, creating an exploitable condition that can be leveraged by attackers within the device's wireless communication range.
The technical implementation of this vulnerability follows a classic stack buffer overflow pattern where insufficient bounds checking allows an attacker to overwrite adjacent stack memory locations. When the ble_process_esp32_msg function receives a malformed Bluetooth message, it copies the data directly into a stack buffer without validating whether the incoming data exceeds the buffer's allocated size. This allows an attacker to overwrite return addresses, function pointers, and other critical stack data structures. The vulnerability's remote execution capability stems from the device's wireless communication interface being accessible without authentication, enabling attackers to send maliciously crafted Bluetooth messages from adjacent locations. According to the ZDI-CAN-26369 reference, this issue represents a well-documented class of vulnerabilities affecting embedded IoT devices that process untrusted wireless input.
The operational impact of CVE-2025-5827 extends beyond simple code execution to encompass complete device compromise and potential network infiltration. An attacker who successfully exploits this vulnerability can gain full control over the charging station, potentially enabling them to modify charging parameters, disable safety features, or use the device as a pivot point for attacks against other networked systems. The commercial nature of the device means that attackers could target specific installations such as parking lots, commercial buildings, or fleet management facilities where these chargers are deployed. The lack of authentication requirements significantly increases the attack surface since any nearby device with Bluetooth capabilities could potentially exploit this vulnerability, making it particularly dangerous for public charging infrastructure. This vulnerability directly maps to CWE-121 Stack-based Buffer Overflow, which is classified as a high-severity weakness in the Common Weakness Enumeration catalog.
Mitigation strategies for CVE-2025-5827 should focus on immediate firmware updates from Autel, network segmentation to isolate charging infrastructure, and monitoring for anomalous Bluetooth traffic patterns. Organizations should implement network access controls to limit Bluetooth communication to authorized devices only, while also establishing intrusion detection systems that can identify suspicious message patterns. The ATT&CK framework categorizes this vulnerability under T1059.007 Command and Scripting Interpreter: Python and T1068 Exploitation for Privilege Escalation, as attackers may use the compromised device to establish persistent access or escalate privileges within the charging network. Device administrators should also consider disabling unnecessary Bluetooth services when not actively required for configuration purposes, and implement regular security assessments of IoT endpoints to identify similar vulnerabilities in other embedded systems. The vulnerability highlights the critical need for secure coding practices in embedded devices and demonstrates how seemingly small input validation flaws can lead to complete system compromise in connected industrial environments.