The recently disclosed vulnerability in the Vestel AC Charger, identified as CVE-2025-3606, highlights the persistent risks faced by the rapidly growing market for electric vehicle (EV) charging solutions. As electric vehicles become increasingly prevalent worldwide, the infrastructure that supports them—especially charging points—becomes a prime target for cyber adversaries. This evolving threat landscape demands both vigilance by manufacturers like Vestel and proactive defensive measures by system integrators and end users.
The vulnerability outlined by the Cybersecurity and Infrastructure Security Agency (CISA) underscores not only a technical weakness but also reveals wider systemic risks facing critical infrastructure. Vestel, a major electronics manufacturer headquartered in Turkey, supplies AC Chargers that are widely deployed in transportation systems across the globe. The flaw specifically affects the Vestel AC Charger EVC04, version 3.75.0—a model in widespread use.
With a calculated CVSS v3.1 base score of 7.5 and an even higher CVSS v4 score of 8.7, the seriousness of this flaw is unambiguous. It enables remote attackers with low technical expertise to access sensitive files—most importantly, system credentials—without authentication or user interaction. The consequences of successful exploitation could range from denial of service attacks to a partial loss of device integrity, with damaging ripple effects on power grid reliability and user privacy.
Given that EV chargers often represent high-value infrastructure in both public and private settings, this type of issue can pose a risk not just to individual users, but to the stability and safety of broader transportation networks. The fact that the vulnerability was responsibly disclosed to CISA before widespread exploitation indicates a measure of good fortune for the ecosystem; however, the surface area for similar attacks is expanding as more networked charging points go live across the world.
Notably, Vestel’s AC Chargers are deployed globally, meaning this vulnerability has an international scope. Transportation systems in regions spanning from North America to Europe and Asia are potentially affected, increasing the urgency of mitigation measures and patch deployment.
Users—ranging from fleet managers to everyday drivers relying on public chargers—stand to lose if attackers exploit compromised credentials to cause service interruptions. Even partial outages at major charging locations can have cascading effects on mobility, especially in densely populated or transport-focused regions.
But the company’s guidance extends beyond patching—a sign that no single fix can fully guarantee security on its own:
CISA emphasizes the importance of regular risk assessment, system impact analysis before deploying defensive measures, and cross-industry information sharing. These actions are deemed essential for protecting industrial control systems (ICS) as their integration with internet-connected devices accelerates.
The agency also reinforces standard cyber hygiene practices:
As more “smart” devices are added to critical systems, the ability for attackers to move laterally increases. Compromising an EV charger, for example, could serve as a stepping stone toward attacking higher-value targets within energy grids or municipal systems. The risk expands further when devices are left exposed to the internet or are not isolated from corporate administrative networks.
Manufacturers like Vestel have a challenging path ahead—one which blends engineering innovation with an uncompromising stance on cybersecurity. This responsibility extends through the supply chain, touched by operators, network administrators, and ordinary users alike.
Meanwhile, for organizations considering large-scale EV charger deployments, the lessons here should serve as a catalyst to review procurement and operational processes. Scrutinize vendor security practices, enforce robust credential management, and ensure that incident response plans are well-practiced and up-to-date.
The best defense is a culture of continuous vigilance and shared responsibility: from product designers and vendors, to infrastructure operators and end users. For those building and relying on the world’s charging infrastructure, this advisory is not just a warning, but a blueprint for smarter, safer growth in the era of electric transport.
Source: www.cisa.gov Vestel AC Charger | CISA
A New Age of Risks in Electric Vehicle Infrastructure
The vulnerability outlined by the Cybersecurity and Infrastructure Security Agency (CISA) underscores not only a technical weakness but also reveals wider systemic risks facing critical infrastructure. Vestel, a major electronics manufacturer headquartered in Turkey, supplies AC Chargers that are widely deployed in transportation systems across the globe. The flaw specifically affects the Vestel AC Charger EVC04, version 3.75.0—a model in widespread use.With a calculated CVSS v3.1 base score of 7.5 and an even higher CVSS v4 score of 8.7, the seriousness of this flaw is unambiguous. It enables remote attackers with low technical expertise to access sensitive files—most importantly, system credentials—without authentication or user interaction. The consequences of successful exploitation could range from denial of service attacks to a partial loss of device integrity, with damaging ripple effects on power grid reliability and user privacy.
Technical Breakdown: The Anatomy of CVE-2025-3606
In practical terms, the vulnerability is an exposure of sensitive system information to an unauthorized control sphere. Vulnerable devices can unwittingly reveal credential files to remote attackers, who could then leverage this access to manipulate charger functions, intercept user data, or disrupt services. This exposure is particularly concerning because it is reachable remotely and can be exploited with minimal complexity or prerequisites—lending the attack itself a dangerous simplicity.Given that EV chargers often represent high-value infrastructure in both public and private settings, this type of issue can pose a risk not just to individual users, but to the stability and safety of broader transportation networks. The fact that the vulnerability was responsibly disclosed to CISA before widespread exploitation indicates a measure of good fortune for the ecosystem; however, the surface area for similar attacks is expanding as more networked charging points go live across the world.
Sector Context: Critical Infrastructure Under Siege
Electric vehicle charging points sit at the intersection of convenience and vulnerability for modern transportation systems—a sector now categorized as critical infrastructure by national authorities like CISA. The insecure exposure of system credentials is not only a technical oversight; it carries the potential for broader systemic impact, especially if leveraged in coordinated attacks or as a conduit for lateral movement throughout a network.Notably, Vestel’s AC Chargers are deployed globally, meaning this vulnerability has an international scope. Transportation systems in regions spanning from North America to Europe and Asia are potentially affected, increasing the urgency of mitigation measures and patch deployment.
Stakes for Operators and End Users
For EV charger operators, the implications of CVE-2025-3606 are twofold. First, there is an immediate need for rapid software updates—Vestel has already issued a patch raising the affected version from 3.75.0 to 3.187 or higher. Second, operators must recognize this incident as part of a larger pattern: digital components in physical infrastructure raise attack surfaces, and proactive security is not optional but mandatory.Users—ranging from fleet managers to everyday drivers relying on public chargers—stand to lose if attackers exploit compromised credentials to cause service interruptions. Even partial outages at major charging locations can have cascading effects on mobility, especially in densely populated or transport-focused regions.
Vendor Response: Mitigation and Guidance
Vestel’s recommended mitigations are robust and multi-layered, aimed at both short-term remediation and longer-term hardening. The primary directive is clear: update the firmware to version 3.187 or later as soon as possible. This patch blocks the immediate channel through which sensitive data could be exfiltrated.But the company’s guidance extends beyond patching—a sign that no single fix can fully guarantee security on its own:
- Avoid open networks: Operators are encouraged to use secure remote access methods, such as VPNs, that have been regularly updated and integrated with strong endpoint security.
- Reduce network exposure: Wherever possible, devices should not be accessible from the open internet unless absolutely necessary for their intended function.
- Credential management: A mandatory change from factory default usernames and passwords is required. Printed guides or documentation containing login information should be removed from online publication, closing an often-overlooked loophole exploited by attackers.
- Ongoing awareness: Vestel advises all users and administrators to regularly consult the company’s own advisories and CISA best practices, ensuring that security is treated as an ongoing, evolving process.
CISA’s Proactive Stance on Cyber Defense
The involvement and recommendations from CISA further reinforce the seriousness of flaws like CVE-2025-3606. The agency not only issues advisories but also furnishes industry with a comprehensive suite of resources on defense-in-depth, targeted cyber intrusion detection, and incident reporting procedures.CISA emphasizes the importance of regular risk assessment, system impact analysis before deploying defensive measures, and cross-industry information sharing. These actions are deemed essential for protecting industrial control systems (ICS) as their integration with internet-connected devices accelerates.
The agency also reinforces standard cyber hygiene practices:
- Beware of phishing: Organizations should train staff to avoid clicking on unsolicited links or downloading attachments from unknown sources.
- Report incidents promptly: Any signs of compromise should be reported to authorities for aggregation and threat intelligence.
The Expanding Attack Surface for IoT and ICS
The case of Vestel’s AC Charger vulnerability is not an isolated event, but part of a wider trend. Internet of Things (IoT) devices commonly suffer from weak default credentials, insufficient network segmentation, and limited post-deployment updates. In ICS environments, where uptime and reliability are prized over constant patching, these same weaknesses can remain unaddressed for years—sometimes until a public vulnerability disclosure forces action.As more “smart” devices are added to critical systems, the ability for attackers to move laterally increases. Compromising an EV charger, for example, could serve as a stepping stone toward attacking higher-value targets within energy grids or municipal systems. The risk expands further when devices are left exposed to the internet or are not isolated from corporate administrative networks.
Lessons Learned: Toward a Secure Charging Ecosystem
Critical analysis of the CVE-2025-3606 incident yields several enduring lessons:Patch Management Must Be Swift and Consistent
Ultimately, software vulnerabilities are inevitable—but rapid detection, disclosure, and remediation can limit their impact. The speed with which Vestel and CISA responded is commendable, but future incidents may not afford the same luxury of time. Automating update checks and deploying patches as soon as they become available should be embedded in operational protocols.Least Privilege is Non-Negotiable
Default credentials and excessive device exposure remain endemic problems. Deployments must always begin with the assumption that default login information is compromised, prompting immediate credential resets and access minimization. Remote access must be carefully gated and monitored.Defense in Depth is the Only Sustainable Approach
No single security tool or process is sufficient. Robust authentication, network segmentation, regular security audits, and user training must work in concert. Organizational leadership should support a culture where security is a shared priority, not merely an afterthought.The Burden of Security Must Be Shared
While vendors provide the technical means to patch vulnerabilities, end users and system integrators play a crucial role in safe deployment and operation. Training, oversight, and continuous improvement are essential—security is not just the vendor’s responsibility.What's at Stake for the Future of Smart Mobility
The rapid integration of connected charging infrastructure into global transport networks is both a necessity and a risk. The vigilance with which flaws like CVE-2025-3606 are handled will shape public trust and industry stability moving forward. For national and municipal authorities, the goal is resilience: building charging networks that are not just fast and ubiquitous, but also secure by design.Manufacturers like Vestel have a challenging path ahead—one which blends engineering innovation with an uncompromising stance on cybersecurity. This responsibility extends through the supply chain, touched by operators, network administrators, and ordinary users alike.
Meanwhile, for organizations considering large-scale EV charger deployments, the lessons here should serve as a catalyst to review procurement and operational processes. Scrutinize vendor security practices, enforce robust credential management, and ensure that incident response plans are well-practiced and up-to-date.
Conclusion: Security as a Foundation for Sustainable Electrification
The exposure of sensitive system information in Vestel’s AC Chargers is a sharp reminder that the march toward electrified mobility is inseparable from the demands of cybersecurity. As critical infrastructure becomes ever more connected, vulnerabilities will be discovered—sometimes by security researchers acting in good faith, but sometimes by criminal actors hoping to sow disruption or extract value.The best defense is a culture of continuous vigilance and shared responsibility: from product designers and vendors, to infrastructure operators and end users. For those building and relying on the world’s charging infrastructure, this advisory is not just a warning, but a blueprint for smarter, safer growth in the era of electric transport.
Source: www.cisa.gov Vestel AC Charger | CISA
Last edited:
