CVE-2025-27769 Patch Heliox EV Chargers Before Cable Attacks

Siemens ProductCERT has confirmed an improper access control vulnerability in Heliox-branded EV charging hardware that can let an attacker reach otherwise protected services by using the charging cable as an attack vector — Siemens has published fixes and recommends updating affected chargers to the new firmware releases immediately. ([cert-portal.siem-portal.siemens.com/productcert/html/ssa-126399.html))

Background / Overview​

The vulnerability, tracked as CVE-2025-27769 in public vulnerability feeds, affects two Heliox models that Siemens sells under its e-mobility portfolio: the Heliox Flex 180 kW EV Charging Station and the Heliox Mobile DC 40 kW EV Charging Station. Siemens lists the affected builds as all versions prior to F4.11.1 for the Flex 180 and prior to L4.10.1 for the Mobile 40 kW. The vendor assigned the advisory identifier SSA-126399 and published the technical summary and remediation steps on the Siemens ProductCERT portal. (cert-portal.siemens.com)
Third‑party vulnerability trackers and CVE aggregators have independently picked up the same CVE entry and version/score data, confirming the vendor's disclosure and the narrow technical scope described by Siemens. Those secondary listings show a CVSS v3.1 base score of 2.6 (vector AV/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) and an equivalent low-ish CVSS v4 reading — both emphasizing this is a physical/adjacent access issue rather than a remote internet‑facing flaw.
Siemens’ advisory and the republished U.S. federal advisory emphasize that the vulnerability relates to improper restriction of communication channels to intended endpoints (CWE‑923), meaning the charging interface or connected cabling can be used to reach services that should not be reachable from that physical interface. The vendor's published mitigation is to update affected devices to the patched firmware releases via OTA or vendor support channels. (cert-portal.siemens.com)

---

What the advisory actually says — verified facts​

Affected models and fixed firmware​

• Heliox Flex 180 kW EV Charging Station — all versions older than F4.11.1 are listed as affected. (cert-portal.siemens.com)
• Heliox Mobile DC 40 kW EV Charging Station — all versions older than L4.10.1 are listed as affected. (cert-portal.siemens.com)

Siemens states customers should contact support for OTA patch information; the ProductCERT entry explicitly lists vendor remediation by firmware update. This vendor-supplied, model-and-version detail has been corroborated in independent CVE aggregations. (cert-portal.siemens.com)

Technical severity and attack vector​

• Siemens assigns CVSS v3.1 = 2.6 (Low) and CVSS v4.0 = 2.4 (Low) to CVE‑2025‑27769, with the attack vector marked as Physical. That aligns with the vendor description that exploitation requires access via the charging cable interface rather than a remote network exploit. (cert-portal.siemens.com)

Vulnerability class​

• CWE‑923: Improper Restriction of Communication Channel to Intended Endpoints. In plain terms, the device does not properly limit which services are reachable over a physical communication channel (here: the charging cable or connector), so a connected party can access services it shouldn't. Siemens documents this and lists the CWE identifier in the advisory. (cert-portal.siemens.com)

---

How this can be abused — realistic attack scenarios​

The advisory’s emphasis on the charging cable as the vector means the practical attack surface is largely physical or adjacent. However, “physical/adjacent” should not be conflated with “low impact” in production environments: EV chargers are widely deployed in depots, public sites, and fleet garages where vehicles, service vehicles, contractors, and the general public may connect to chargers.

• Scenario 1 — Malicious vehicle or intermediary device: An attacker with a maliciously modified vehicle or a small inline device could use the cable interface to initiate communication channels that the charger incorrectly routes to internal services. This could reveal management interfaces or service endpoints that are intended only for local maintenance, enabling unauthorized interactions. Siemens’ description maps to this pathway. (cert-portal.siemens.com)
• Scenario 2 — Compromised or rogue portable charger: A portable or “mobile” charger (for example, the Heliox Mobile 40 kW) used by contractors or third-party staff could be the attack origin if an attacker controls the mobile unit or attaches hardware to it. Because the advisory lists the Mobile 40 kW product, the risk model particularly affects scenarios where the charger is moved between sites. (cert-portal.siemens.com)
• Scenario 3 — Supply‑chain or servicing misuse: Maintenance tools or diagnostic equipment that connect to the charger could unintentionally expose services if the charger fails to validate endpoints on the cable interface. This is a classic design flaw where an I/O kernel that trusts the physical interface becomes a route into privileged services. CWE‑923 captures that class of design error. (cert-portal.siemens.com)

Importantly, Siemens and public trackers stress this is not a remote, mass‑scale internet worm condition — the attack requires adjacency (inserting or manipulating the cable connection), which drastically changes the operational mitigation profile. (cert-portal.siemens.com)

---

Technical analysis — why CWE‑923 matters for EV chargers​

CWE‑923 covers failures to enforce endpoint restrictions on communication channels. For EV chargers, there are multiple protocol and electrical layers involved:

• Physical/electrical interface: The CCS/pantograph connector and associated pins are used for power delivery and low‑speed communications used in charging session establishment (including power negotiation). If the device permits arbitrary protocol bridging across pins or misroutes data flows, that can create unexpected paths into internal subsystems.
• Application/protocol layer: Modern DC chargers support management and diagnostic channels (including proprietary maintenance interfaces, OCPP‑like protocols, and ISO 15118 stacks). A charger must strictly segregate the vehicle‑facing protocol channels from internal management channels; an improper mapping or permissive routing creates the CWE‑923 condition Siemens describes.
• Management plane exposure: If an attacker can cause the charger to forward or respond to management‑level requests over the charging cable, they may reach services that bypass authentication or are intended only for local technicians.

Academic and research work has already demonstrated that physical-layer and cable-adjacent attacks on charging ports are plausible; experiments show attackers can inject or alter signals to affect pairing or cause misbehavior, and that intermediate devices can be used to introduce attack traffic into the interface. These lines of research reinforce why vendors must treat physical interfaces as potentially hostile communication channels and validate endpoint restrictions accordingly.

---

Risk assessment — who should be worried, and why​

The risk picture depends on deployment context:

• High-risk environments:
• Bus and truck depots with many vehicles and mixed user access.
• Public fast‑charging stations where the public can plug in third‑party cables, adapters, or modified EVs.
• Fleet operations that use mobile or portable chargers across multiple sites (the Mobile 40 kW unit is explicitly listed as affected). (cert-portal.siemens.com)
• Lower-risk environments:
• Secure depots where chargers are in fenced yards, access is tightly controlled, and only vetted vehicles plug in.
• Sites where chargers are physically secured and the charging interface is not reachable by untrusted third parties.

Even when a direct takeover is unlikely, the vulnerability’s potential to reach unauthorized services is concerning because it can enable small, targeted actions — for example, controlling a maintenance API to disable logging, modify configuration, or interact with backend billing records indirectly. Because the CVSS score focuses on the required attack vector rather than downstream business impact, operators must map the technical severity to their process and safety profile. (cert-portal.siemens.com)

---

Vendor response and patching posture​

Siemens ProductCERT published SSA‑126399 and lists firmware updates as the remediation; operators are instructed to contact Siemens customer support for OTA instructions and to update to the released software versions (F4.11.1 or later for the Flex 180; L4.10.1 or later for the Mobile 40 kW). The advisory was published on March 10, 2026, and Siemens classifies the issue as a known affected product requiring vendor firmware updates. (cert-portal.siemens.com)
Independent CVE aggregators and security feeds mirrored the vendor messaging and the version bounds, which suggests the disclosure is vendor‑coordinated and that patch artifacts are available or being distributed via standard Siemens support channels. Operators should treat this as a patch‑now advisory for affected devices because fixes are available; the vendor has explicitly recommended updating.

---

Immediate, prioritized actions for operators (what to do now)​

Follow the vendor-prescribed update path as the primary remediation. In parallel, implement compensating controls to minimize risk while updates are being scheduled:

• Inventory and prioritize:
• Identify all Heliox Flex 180 kW and Heliox Mobile DC 40 kW units in your estate and note firmware versions.
• Prioritize devices in public or multi-tenant sites, and any mobile units that move between sites. (cert-portal.siemens.com)
• Patch:
• Contact Siemens support (use your established support channel) and obtain the OTA update procedure for F4.11.1 / L4.10.1.
• Schedule and apply firmware updates during maintenance windows; validate upgrades and retain rollback images. (cert-portal.siemens.com)
• Short-term network and access mitigations:
• Physically restrict access to connectors and charging ports where practical.
• Ensure chargers are on segmented networks and isolate management interfaces from vehicle-facing interfaces.
• Disable any unnecessary remote management services until the device is patched. These are standard Siemens recommendations for operating ICS/OT equipment in protected environments. (cert-portal.siemens.com)
• Operational detection and monitoring:
• Increase logging and retention on charger management planes; monitor for anomalous connections or unexpected service access patterns following cable connections.
• Add SIEM correlation rules that flag unusual maintenance‑interface access from vehicle endpoints.
• For mobile or shared chargers:
• Institute chain‑of‑custody and configuration checks for any mobile chargers used by contractors.
• Limit which chargers can be physically moved between high‑risk sites until they’re patched.
• Communications and governance:
• Notify site owners, fleet managers, and any third‑party service providers of the firmware update requirement.
• Conduct a basic impact analysis: which services would be reached if an unauthorized endpoint were to access the internal management interfaces.

These steps mirror Siemens’ general security recommendations and the defensive measures suggested by national ICS guidance: minimize exposure, segment networks, and prefer secure remote access methods. (cert-portal.siemens.com)

---

Strengths and limitations of the vendor advisory — critical analysis​

Strengths​

• Siemens released a targeted advisory that clearly lists affected models, affected version bounds, the CWE class, and the required remediation path (firmware updates via OTA/support). That level of model/version granularity is useful for operators conducting rapid triage. (cert-portal.siemens.com)
• The vendor explicitly labels the attack vector as physical/adjacent, and provides CVSS v3.1/v4.0 metrics that help security teams prioritize based on access model rather than headline severity alone. Third‑party CVE aggregators have mirrored those metrics, so the vendor’s severity assessment appears consistent across sources. (cert-portal.siemens.com)

Limitations and open questions​

• The advisory is sparse on technical detail about exactly which services become reachable and how access control fails. That lack of specificity is common in vendor advisories issued ahead of vendor-supplied patches, but it complicates risk quantification for defenders who must choose compensations while awaiting updates. Siemens’ advisory purposefully omits exploit PoCs, which is prudent, but operators will want more concrete indicators for detection. (cert-portal.siemens.com)
• The vendor classified the CVSS as Low, which is technically accurate given physical access is required, but the business impact can be significantly higher in fleet and public‑charging contexts where an attacker can insert or present a physical interface. The low CVSS can lull non‑technical stakeholders into deprioritizing the update — do not let the numeric label alone determine scheduling risk. (cert-portal.siemens.com)
• There is no public evidence at the time of disclosure of active exploitation, and public trackers do not list proof-of-concept exploits. That is reassuring, but absence of evidence is not evidence of absence; the physical attack surface is large and opportunistic actors could weaponize the flaw in targeted settings. Treat this as a realistic, site‑dependent operational risk.

Where Siemens leaves detail intentionally light, vendors and integrators need to compensate with better on‑site controls and an operational understanding of who and what plugs into chargers day-to-day.

---

Wider implications for EV charging security​

This advisory is another signpost in a trend: as EV chargers become more feature-rich and software-driven, the assumption that a physical power interface is a “dumb” channel no longer holds. Modern chargers host complex protocol stacks, management services, and third‑party integrations — and that complexity expands the “adjacent network” attack surface.

• Device vendors must treat vehicle‑facing interfaces as untrusted networks and design with least privilege for inter‑subsystem communication.
• Operators should assume that any device that connects — whether vehicle, diagnostic tool, or portable charger — can be used to exercise protocol interactions unless explicitly prevented by the charger.
• Standards bodies and system architects need to codify stricter separation between charging session protocols (power negotiation, billing handshake) and any maintenance or service endpoints accessible on the same physical medium. Research into physical-layer signal attacks already demonstrates this category of risk is practical under some conditions.

Finally, fleet owners and public‑site operators must realize that manufacturer CVSS ratings that emphasize attack preconditions may understate business impact in environments where physical adjacency is routine. Security teams should always translate technical severity into local business risk.

---

How to verify you are patched and what to log​

• Confirm firmware: After applying the OTA update or vendor patch, obtain and record the firmware build string reported by the charger (expect F4.11.1+ for Flex 180; L4.10.1+ for Mobile 40 kW). Cross-check the build with Siemens release notes or the support ticket confirming your update. (cert-portal.siemens.com)
• Test connectivity restrictions: With the device patched, perform a controlled test (under vendor guidance) using a diagnostic vehicle or test harness to ensure management services are not reachable from vehicle/cable endpoints.
• Log indicators:
• Cable session initiation and the identity of the connected vehicle or device.
• Any attempts to access maintenance or management endpoints that originate from vehicle-facing interfaces.
• Firmware update events and checksums.
• Keep vendor support evidence: Retain the support and patch confirmation from Siemens as part of your compliance and incident response documentation.

---

Final assessment and recommendations​

CVE‑2025‑27769 is a design/architecture access control problem (CWE‑923) that requires physical/adjacent access via the charging cable to exploit. Siemens has released fixes and instructs operators to update to F4.11.1 (Flex 180) and L4.10.1 (Mobile 40 kW) or later. While the vendor scores the vulnerability as low because it requires physical adjacency, the real-world risk to public charging sites and mobile charge fleets is material because those operational contexts routinely allow physical cable connections from a broad set of actors. (cert-portal.siemens.com)
Action checklist (executive summary):

• Immediately identify affected Heliox Flex 180 kW and Heliox Mobile DC 40 kW units in your estate. (cert-portal.siemens.com)
• Prioritize and apply the vendor firmware updates (F4.11.1 / L4.10.1) via Siemens support/OTA. (cert-portal.siemens.com)
• Implement compensating controls: tighten physical access to connectors, segment charger management networks, and disable unnecessary remote services. (cert-portal.siemens.com)
• Increase logging and monitoring for anomalous activity on vehicle-facing interfaces; retain forensic logs for post‑patch validation.
• Treat the vulnerability as a reminder to adopt defense‑in‑depth for EV charging installations — assume the hardware interface may be hostile and design accordingly.

This disclosure is a practical, fixable example of how OT/ICS design assumptions must evolve as previously passive equipment becomes programmable and internet-connected. Operators who treat the vendor advisory as a routine maintenance update risk missing the operational context — prioritize patching and compensating controls where chargers are exposed to non‑trusted connectors, and document the outcome for future audits and threat modeling. (cert-portal.siemens.com)
Conclusion: apply the vendor firmware, harden the site, and use this advisory as an impetus to reassess cable‑level trust assumptions across your charging estate.

---

Source: CISA Siemens Heliox EV Chargers | CISA