As the global adoption of electric vehicles (EVs) surges, the landscape of home and workplace charging solutions is experiencing unprecedented scrutiny—especially regarding cybersecurity. The Schneider Electric EVLink WallBox, once a popular choice for reliable home EV charging, has recently drawn renewed attention after a series of severe vulnerabilities were disclosed by the Dutch Institute for Vulnerability Disclosure (DIVD). This comprehensive analysis investigates these vulnerabilities, evaluates the corresponding risks, and provides clear, actionable guidance for both current and prospective users of EV charging infrastructure, with a focus on the broader implications for critical infrastructure cybersecurity.
The Schneider Electric EVLink WallBox, a product firmly established in residential and light commercial environments, was designed to bring safe, convenient electric vehicle charging to a global customer base. However, with discoveries published in June 2025, the WallBox has become a prime example of how the security posture of legacy devices can leave critical infrastructure at risk.
Four distinct security flaws in the WallBox’s embedded web server—spanning path traversal, cross-site scripting (XSS), and OS command injection—threaten to undermine user trust and compromise essential security boundaries. Notably, these vulnerabilities exist across all versions of the EVLink WallBox, and with the product having reached its end of life (EOL), customers face a crucial decision: adopt strong mitigations or migrate to supported, more secure models.
The remaining vulnerabilities, while individually scoring lower (between 4.9 and 7.0 on CVSS scales), aggregate into a potent attack surface. Collectively, they enable attackers with web access—potentially even unauthenticated users—to read and write arbitrary files and inject malicious code or commands that could grant remote control over the WallBox charging unit. In essence, the vulnerabilities present attackers with tools to affect both data integrity and system functionality.
While there are no current reports of public exploitation targeting these WallBox vulnerabilities, the publication of detailed advisories and proofs-of-concept (PoCs) in the broader information security ecosystem can accelerate the window of opportunity for attackers. And given that Schneider Electric classifies the WallBox as deployed worldwide, this is not a localized or theoretical concern.
Instead, Schneider Electric urges customers to migrate to its replacement product, the EVLink Pro AC—a device which, on paper, includes a more robust security development life cycle and ongoing support. For those unable to immediately replace their WallBox units, the vendor and CISA recommend an array of mitigation steps, ranging from network segmentation and firewalling to strong password hygiene and minimizing device exposure to public networks.
Vendors often prioritize features and first-to-market speed over security in product design, a compromise coming under greater scrutiny as these devices begin playing pivotal roles in critical infrastructure sectors. And by the time hardware reaches EOL, users frequently find themselves exposed without practical recourse—a repeatable story seen across not just charging stations, but surveillance cameras, medical devices, and other cyber-physical systems.
Several factors heighten risk for legacy devices:
Going forward, a combination of improved vendor responsibility, mature consumer awareness, and regulatory clarity will be vital in securing the EV charging infrastructure that underpins global transportation goals. In the meantime, owners of the WallBox must act decisively: isolate these legacy devices, apply stringent best practices, and accelerate their migration to supported, secure platforms. Only with such a holistic approach can the full promise of electric mobility be realized—safely, securely, and resiliently.
Source: CISA Schneider Electric EVLink WallBox | CISA
The Schneider Electric EVLink WallBox, a product firmly established in residential and light commercial environments, was designed to bring safe, convenient electric vehicle charging to a global customer base. However, with discoveries published in June 2025, the WallBox has become a prime example of how the security posture of legacy devices can leave critical infrastructure at risk.Four distinct security flaws in the WallBox’s embedded web server—spanning path traversal, cross-site scripting (XSS), and OS command injection—threaten to undermine user trust and compromise essential security boundaries. Notably, these vulnerabilities exist across all versions of the EVLink WallBox, and with the product having reached its end of life (EOL), customers face a crucial decision: adopt strong mitigations or migrate to supported, more secure models.
The Scale and Gravity: CVSS Scores and Attack Surface
Central to risk assessment are the CVSS (Common Vulnerability Scoring System) v3.1 and v4 base scores which quantify the exploit’s severity. The most concerning flaw—improper pathname limitation (CVE-2025-5740)—earns a CVSS v4 score of 8.6, marking it as “high severity.” This vulnerability, combined with the fact that it can be exploited remotely and with low attack complexity, amplifies its potential for real-world impact.The remaining vulnerabilities, while individually scoring lower (between 4.9 and 7.0 on CVSS scales), aggregate into a potent attack surface. Collectively, they enable attackers with web access—potentially even unauthenticated users—to read and write arbitrary files and inject malicious code or commands that could grant remote control over the WallBox charging unit. In essence, the vulnerabilities present attackers with tools to affect both data integrity and system functionality.
Technical Breakdown: Understanding the Flaws
Path Traversal (CVE-2025-5740 and CVE-2025-5741)
- Arbitrary File Write (CVE-2025-5740): This vulnerability allows an unauthenticated user to craft malicious requests targeting the WallBox web server. By manipulating file path parameters, an attacker can write arbitrary files to locations outside the intended web root—a classical path traversal scenario. The result could be anything from implanting a webshell for persistent access to corrupting device configuration files.
- Arbitrary File Read (CVE-2025-5741): Requiring authentication but posing serious privacy and device integrity risks, this flaw lets attackers read any file on the device by exploiting path traversal in the opposite direction. Sensitive data, configuration files, and potentially cryptographic material could be exfiltrated in this way.
Cross-Site Scripting (CVE-2025-5742)
Allowing malicious scripts to be injected via configuration parameters, this persistent XSS flaw exposes both device administrators and possibly end-users to credential theft, browser-based attacks, and hijacking of session data. In the context of EV charging stations, where administrative sessions could also enable modification of charge settings or scheduling, such exposure carries higher-than-usual risk.OS Command Injection (CVE-2025-5743)
The most potentially catastrophic, a command injection vulnerability allows an authenticated attacker to run arbitrary operating system commands via unsafe configuration parameter handling. Once exploited, this opens the door for attackers to take full control of the device, install persistent malware, join the device to a botnet, or launch attacks against the wider network. For an endpoint residing on critical infrastructure—which EV charging stations increasingly do—the implications are dire.Risk to Critical Infrastructure
The urgency around these flaws is magnified by the evolving role of EV charging stations as integral nodes in national transportation and energy grids. Successful exploitation, especially at scale, could enable adversaries to disrupt charging availability, compromise user privacy, and, in extreme cases, manipulate grid-connected assets in ways not intended by their operators.While there are no current reports of public exploitation targeting these WallBox vulnerabilities, the publication of detailed advisories and proofs-of-concept (PoCs) in the broader information security ecosystem can accelerate the window of opportunity for attackers. And given that Schneider Electric classifies the WallBox as deployed worldwide, this is not a localized or theoretical concern.
Vendor and Researcher Response
Prompted by responsible disclosure from DIVD, Schneider Electric has published an in-depth security advisory (SEVD-2025-161-03), verified by both CISA and independent researchers. Crucially, Schneider Electric confirms that the EVLink WallBox product line is now EOL and will not receive further security updates—rendering the vulnerabilities “permanent” short of device retirement.Instead, Schneider Electric urges customers to migrate to its replacement product, the EVLink Pro AC—a device which, on paper, includes a more robust security development life cycle and ongoing support. For those unable to immediately replace their WallBox units, the vendor and CISA recommend an array of mitigation steps, ranging from network segmentation and firewalling to strong password hygiene and minimizing device exposure to public networks.
Mitigation: Making the Best of a Bad Situation
With no official patch forthcoming, risk reduction for existing WallBox installations demands a layered, strategic approach. Both Schneider Electric and CISA provide a blueprint of best practices—a combination of “defense in depth,” configuration hardening, monitoring, and strict network controls. The following recommendations emerge as both critical and actionable:Network Hygiene and Segmentation
- Segregate the Device: Place the WallBox on its own VLAN or isolated guest network to minimize risk from lateral movement within the home or business network.
- Block Inbound Traffic: Firewalls should be configured to deny all unsolicited inbound HTTP/HTTPS access to the device.
- Avoid Public Addressing: Never expose the WallBox’s administrative interface to the public internet. Disable port forwarding and restrict management to trusted local IP addresses.
- Monitor Logs: Regularly review access logs for signs of anomalous or unauthorized access, which may indicate ongoing or attempted exploitation.
Strong Authentication
- Password Hygiene: Replace all default credentials immediately after setup or factory reset. Use passwords that are at least 20 characters, mixing upper/lowercase, numbers, and symbols.
- Limit Access: Only provide credentials to authorized, trusted users—avoid password sharing, and consider periodic rotation.
- Role-based Control: While the WallBox’s web server offers only basic user roles, apply any available limitations on web management to reduce accidental exposure.
Additional Security Practices
- Wi-Fi Encryption: Use WPA3 or, where unavailable, WPA2 with protected management frames to strengthen wireless security.
- Device Segmentation: As reiterated by CISA, place the WallBox on a dedicated network segment, separate from critical workstations or business systems.
- No Port Mapping: Disable universal plug-and-play (UPnP) and any router settings that might automatically expose internal devices to the internet.
Physical and Organizational Controls
- End of Life Management: Begin the process of scheduling and budgeting for device replacement. Assign responsibility within the organization (or household) to ensure outdated hardware is methodically decommissioned.
- Incident Reporting: Establish procedures for documenting and reporting any suspected unauthorized access, as recommended by CISA.
Table: Schneider Electric EVLink WallBox Vulnerabilities Overview
| Vulnerability | CVE ID | CVSS v3.1 | CVSS v4 | Attack Vector | Privileges Required | Potential Impact |
|---|---|---|---|---|---|---|
| Arbitrary File Write | CVE-2025-5740 | 7.2 | 8.6 | Network (remote) | None | Remote exploit, device corruption |
| Arbitrary File Read | CVE-2025-5741 | 4.9 | 6.9 | Network | Authenticated | Data leakage, privacy compromise |
| Cross-Site Scripting | CVE-2025-5742 | 5.4 | 5.1 | Network | Low (auth) | Session hijack, credential theft |
| OS Command Injection | CVE-2025-5743 | 5.5 | 7.0 | Network | High (auth) | Full remote control, persistence |
The Broader EV and IoT Security Context
While the vulnerabilities outlined are acutely urgent for owners of Schneider Electric’s affected hardware, their story is emblematic of persistent weaknesses across the rapidly expanding constellation of IoT (Internet of Things) and OT (Operational Technology) devices. Path traversal, cross-site scripting, and command injection have been recurring weaknesses in smart devices, from connected thermostats to industrial controllers.Vendors often prioritize features and first-to-market speed over security in product design, a compromise coming under greater scrutiny as these devices begin playing pivotal roles in critical infrastructure sectors. And by the time hardware reaches EOL, users frequently find themselves exposed without practical recourse—a repeatable story seen across not just charging stations, but surveillance cameras, medical devices, and other cyber-physical systems.
Several factors heighten risk for legacy devices:
- Unpatched vulnerabilities remain discoverable and exploitable for years.
- Many owners lack the technical skills to implement advanced mitigations or to identify ongoing attacks.
- Attackers increasingly leverage automated tools and botnets to sweep for vulnerable units, turning isolated devices into broad targets.
Strengths and Opportunities
Despite the serious weaknesses exposed, the disclosure process surrounding these vulnerabilities embodies many current strengths in cybersecurity culture:- Responsible Disclosure: DIVD’s role in timely and coordinated reporting allowed Schneider Electric to craft a detailed advisory before information became widely weaponized.
- Transparency: Both vendor and government agencies (CISA) have prioritized open, detailed communication of risks and mitigation steps.
- Industry Collaboration: The situation underscores the necessity for closer ties between device vendors, researchers, and regulatory bodies worldwide.
Critical Analysis: Weaknesses, Risks, and Unresolved Gaps
Nevertheless, significant systemic weaknesses remain, and the broader EV and IoT ecosystem faces recurring risks:- End of Life Fallout: The lack of an official patch for affected EVLink WallBox units creates “architecture debt,” with vulnerabilities persisting for the lifetime of the device. Owners who cannot feasibly replace hardware remain exposed—particularly if they are unable to implement advanced network controls recommended by Schneider Electric and CISA.
- Consumer Awareness: Many WallBox units, particularly in private homes, are installed and managed by non-professionals lacking security expertise. As a result, basic misconfigurations—such as weak passwords or exposed public IP addresses—are likely far more prevalent than official advisories suggest.
- Potential for Mass Exploitation: Given the low complexity of network-based path traversal and command injection vulnerabilities, attackers could automate mass scans and exploits, potentially targeting unsegmented residential and commercial networks.
- Proliferation of Unmanaged Legacy Devices: Without a comprehensive industry effort to map, alert, and ultimately deprecate unsupported smart devices, similar issues will likely recur—highlighting the persistent need for regulatory standards and consumer education.
Forward-Looking Recommendations
For Owners and Operators
- Plan for Replacement: Budget for hardware refresh cycles, and prioritize devices that receive regular security updates from vendors with demonstrable SDLC (Secure Development Life Cycle) maturity.
- Engage with Advisories: Routinely monitor vendor and CISA advisories for newly disclosed vulnerabilities and mitigation techniques for all connected devices.
- Implement Monitoring: Even simple tools, such as router-based network monitoring and device isolation, can provide early warning in the event of an attack.
For Vendors and Industry
- Secured by Design: Integrate security testing, code review, and vulnerability scanning as integral components of development and maintenance for all connected devices.
- Transparent EOL Communication: Notify customers well in advance of EOL dates and provide guidance and incentives for secure device retirement or trade-in.
- Accessible Patch Management: Even when software updates are no longer feasible, vendors can deliver network-based “guardrails” or virtual patches to mitigate high-severity vulnerabilities where possible.
For Policymakers and Regulators
- Mandate Disclosure: Require open, timely reporting of vulnerabilities and EOL status for critical infrastructure devices.
- Raise Baseline Security: Consider minimum standards for IoT device security, especially when deployed in critical sectors.
Conclusion: A Cautionary Tale for the Next Generation of Smart Infrastructure
The vulnerabilities affecting the Schneider Electric EVLink WallBox shine an uncomfortable but necessary light on the cyber risks endemic to legacy connected infrastructure. While Schneider Electric’s transparent communications and CISA’s mitigation guidance give owners clear directions in the short term, the incident is a harbinger of the challenges facing a world increasingly reliant on networked devices from a diversity of vendors and eras.Going forward, a combination of improved vendor responsibility, mature consumer awareness, and regulatory clarity will be vital in securing the EV charging infrastructure that underpins global transportation goals. In the meantime, owners of the WallBox must act decisively: isolate these legacy devices, apply stringent best practices, and accelerate their migration to supported, secure platforms. Only with such a holistic approach can the full promise of electric mobility be realized—safely, securely, and resiliently.
Source: CISA Schneider Electric EVLink WallBox | CISA