• Thread Author
A futuristic electric vehicle charging station with digital security icons, set against city buildings at dusk.
When a major hardware manufacturer like LITEON finds itself at the nexus of critical infrastructure and cybersecurity, the stakes swiftly rise for end-users, industry partners, and public trust. Recent revelations about a high-severity vulnerability in the LITEON IC48A and IC80A electric vehicle (EV) chargers provide a timely, sobering window into the evolving risks facing the fast-growing EV charging landscape. A recently published industrial control systems (ICS) advisory from CISA, backed by direct reporter input from security researcher Murat Sagdullaev of Electrada, details the specific threat: sensitive credentials for accessing the device’s FTP server were stored in cleartext in system logs, opening the door for potentially catastrophic breaches if exploited by a determined remote attacker. Let’s break down the facts, the technical context, and what it all means for organizations, operators, and the broader connected infrastructure ecosystem.

Background: LITEON EV Chargers and Their Critical Role​

The LITEON IC48A and IC80A chargers serve not only commercial and personal EV markets but collectively anchor infrastructure in pivotal industrial sectors: energy, transportation systems, and commercial facilities. Deployed worldwide and backed by a company headquartered in Taiwan, LITEON has built a reputation for reliability in what is rapidly becoming the electric backbone of next-generation mobility. Unsurprisingly, this also positions its products as high-value targets for threat actors aiming to disrupt or control critical services.
As electric mobility continues its global surge—further accelerated by regulatory mandates and environmental pressures—the security of charging infrastructure becomes synonymous with the stability and safety of public and private transport. An attacker gaining access to EV charging systems doesn’t just threaten individual vehicles, but can potentially impact entire grids, disrupt logistics, and jeopardize public safety on a larger scale.

The Vulnerability: Plaintext FTP Passwords Exposed​

The specific vulnerability (CVE-2025-7357), assigned by the Common Vulnerabilities and Exposures (CVE) project and analyzed in detail by CISA, is both clear in its impact and distressingly common in embedded device security: the affected LITEON IC48A and IC80A chargers, when running certain older firmware versions (prior to 01.00.19r for IC48A, and 01.01.12e for IC80A), store FTP server access credentials as unencrypted, cleartext entries within system logs. This places sensitive authentication information potentially within easy reach of any attacker able to remotely access the device’s file system or logs.
The “Plaintext Storage of a Password,” identified in CWE-256 (Common Weakness Enumeration), is not new to the industry. But its presence in systems that underpin high-uptime, safety-critical infrastructure highlights the persistent gap between device functionality and security-by-design principles. According to the latest Common Vulnerability Scoring System (CVSS):
  • CVSS v3.1 base score: 7.5 (High), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVSS v4.0 base score: 8.7 (High), vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Both scores indicate the vulnerability is easily exploitable, requires no user interaction or privilege, and results in high compromise of confidentiality. Attack complexity is low, and remote exploitation is feasible—a trifecta that should set off alarms, especially for operators running large-scale charging networks.

Technical Analysis: How Password Exposure Unfolds​

At its core, this vulnerability takes advantage of insufficient credential management protocols in the firmware:
  • When the chargers connect to an FTP server for log offload, update, or diagnostics, the username and password credentials are captured in the device’s log files in readable, unencrypted format.
  • Any compromise of the charger’s interface—via remote access, network misconfiguration, or even physical retrieval of log files—effectively hands over valid credentials on a silver platter.
  • These credentials can, in turn, be used to access, modify, or exfiltrate sensitive data, install malware or firmware, or pivot to compromise other networked assets.
While it’s technically possible that exploiting this vulnerability may require some knowledge of networking or the specific device management interface, the low “attack complexity” rating from multiple independent assessments suggests that even intermediates with malicious intent could script attacks at scale. Particularly concerning is that ICS and OT (Operational Technology) environments often lag in patching and sometimes have direct internet exposure due to operational needs—exacerbating the risk.

Broader Risk Evaluation: Potential Impacts​

Successful exploitation of the vulnerability can enable a range of attack scenarios, including but not limited to:
  • Unauthorized access to internal device logs and configuration.
  • Exfiltration of additional sensitive information, including operational data, charging session details, and potentially customer identifiers.
  • Manipulation or sabotage of firmware, undermining device reliability and safety.
  • Use of compromised credentials to gain wider access inside the charging network, including corporate or utility networks.
  • Staging of further attacks or lateral movement within high-value IT/OT environments.
A potential nightmare scenario involves a coordinated attack that disables or misconfigures multiple chargers simultaneously, disrupting EV operations at scale—or worse, using compromised systems as beachheads to attack energy sector infrastructure.
It is vital to note, however, that as of the latest CISA advisory update and available public reporting, no active attacks exploiting this vulnerability have been observed in the wild. Nevertheless, the possibility remains for exploitation, particularly by sophisticated actors keenly interested in targeting critical transportation or energy assets.

Patch and Mitigation: LITEON’s Response​

In response to the disclosed vulnerability, LITEON has released updated firmware images for both affected product lines:
  • IC48A: Version 01.00.20h and later.
  • IC80A: Version 01.01.13m and later.
Updating to these versions effectively resolves the vulnerability by eliminating plaintext storage of FTP credentials, according to vendor documentation and supporting statements from CISA. LITEON recommends customers reach out directly via their contact portal for detailed update guidance.
CISA has further emphasized several general, but crucial, mitigation best practices for industrial and IoT device operators:
  • Minimizing network exposure: Devices should never be directly accessible from the public internet except in highly controlled, temporary circumstances.
  • Segmentation and isolation: All control system networks—including EV chargers—should be protected behind firewalls and physically/virtually separated from broader business networks.
  • Whitelisting remote access: Where remote management is unavoidable, secure methods such as up-to-date VPNs must be used, and all activity strictly logged.
  • Ongoing risk assessment: Always perform an impact and risk analysis prior to deploying new defenses, to avoid unintended side effects on operations.
CISA’s recommended reading, including such documents as "Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies," underscores the growing recognition that no single measure suffices—layered defense, continuous monitoring, and regular updates are all essential.

Notable Strengths and Improvements​

There are reasons to be optimistic about how this incident has unfolded:
  • Rapid Disclosure and Response: The vulnerability was responsibly reported by researcher Murat Sagdullaev to CISA, and within a relatively short timeline, LITEON issued firmware updates while engaging openly with the advisory process.
  • Vendor Transparency: LITEON’s direct communication channels for customers, and willingness to acknowledge and address the problem head on, mark a positive step given the historical reluctance among some major manufacturers to admit to security flaws.
  • Broad Sector Coordination: This case marks ongoing coordination between research, industry, and government regulators, which is crucial for timely, effective vulnerability management across critical-infrastructure sectors.

Analysis of Risks and Lingering Challenges​

Yet, several risks and systemic challenges linger after the patch dust settles:

Industry-Wide Credential Management Lapses​

The presence of this vulnerability in an established vendor’s product lines highlights a systemic challenge: embedded device manufacturers too often prioritize feature rollouts over secure credential management. As EV charging and OT devices continue to proliferate at the “edge” of enterprise networks, the industry must embrace secure-by-design development frameworks or risk repeated, high-profile breaches.

Legacy Device Risks​

A significant number of EV chargers in current deployment are unlikely to be updated rapidly or at all—especially if out of warranty, hard to reach, or under third-party management. The risk is not merely technical but organizational: asset visibility, update management, and lifecycle policies lag in many sectors, particularly among smaller operators.

Supply Chain and Third-Party Risks​

Many organizations rely on contractors, third-party maintenance firms, or managed service providers for device installation and upkeep. Each link in this chain is a potential weak spot for delayed updates, misconfigurations, or failure to follow through on remediation advisory notices.

The Human Element​

Even the best technical solutions require vigilance. Device operators must be aware of, and responsive to, security advisories. The importance of timely patch management, restricted access, and robust incident response procedures cannot be overemphasized.

Technical Best Practices for Users and Operators​

For EV fleet managers, facility operators, or municipalities running LITEON’s affected chargers, the following best practices are both recommended by CISA and supported by multiple ICS/OT security experts:
  • Asset Inventory and Visibility: Maintain up-to-date records of all installed EV chargers, their respective firmware versions, and network exposure status.
  • Regular Firmware Audits: Schedule and verify quarterly (or more frequent) audits of device firmware; ensure updates are applied promptly upon release.
  • Credential Hygiene: Rotate all device passwords and review for reuse or weak patterns. Never use default or manufacturer-provided credentials in production environments.
  • Network Segmentation: Place EV chargers on dedicated VLANs or subnetworks, ensuring that any communication with enterprise or cloud assets traverses robust, monitored gateways.
  • Secure Remote Access: Only allow remote device management via approved, patched VPN solutions protected by multi-factor authentication (MFA), with strict audit trail requirements.
  • Comprehensive Logging: Enable system-wide logging and centralize log storage, with regular reviews for suspicious activity indicative of credential abuse.
  • Incident Response Playbooks: Instruct staff on rapid detection and remediation procedures in the event that unauthorized access or suspicious network activity is detected involving charging infrastructure.

Regulatory and Compliance Considerations​

Given their placement in sectors directly tied to public safety and critical operations, owners and operators of LITEON chargers—and indeed any connected EV charging devices—should also track evolving regulatory landscapes. In several jurisdictions, cybersecurity due diligence is not merely best practice but a legal requirement for critical infrastructure operators. Failure to apply patches or follow established control system security practices could expose organizations to significant regulatory penalties, insurance complications, or even litigation in the event of an incident.

Future Outlook: Secure by Design or Perpetual Remediation?​

The LITEON CVE-2025-7357 episode is only the latest in a wave of IoT and OT credential management failures. It illustrates a sobering message for the ecosystem: the future of critical infrastructure depends as much on secure product engineering as on innovation and growth. As industry and regulators double down on security mandates—such as requiring software bills of materials (SBOMs), establishing vulnerability disclosure programs, and hardening default configurations—organizations must push vendors for transparent, timely security updates and adopt defense-in-depth architectures that assume some device-level compromise is all but inevitable.
LITEON’s quick patch response and cooperation with security agencies are to be commended. Still, only rigorous, ongoing attention—by vendors, site operators, and the broader industry—will ensure that the explosive growth of EV charging unfolds on a foundation of trust, safety, and resilience. For those responsible for these increasingly vital systems, the lesson is clear: inventory, patch, monitor, and—above all—never underestimate the impact of a single unsecured credential.

Conclusion​

The security of electric vehicle charging infrastructure is no longer a niche concern—it is foundational to the safety, resilience, and success of the energy transition. The case of the LITEON IC48A and IC80A chargers, vulnerable through plaintext credential storage, is as much a cautionary tale as a call to action. Fast, coordinated action from researchers, vendors, and agencies was essential in this case, but the journey to a truly secure EV ecosystem depends on deeper structural change. Secure by default must become the norm, not the exception, and every operator must play an active role in safeguarding the future of mobility. As ever, in the realm of critical infrastructure security, complacency is the real enemy.

Source: CISA LITEON IC48A and IC80A EV Chargers | CISA
 

Back
Top