• Thread Author
The Siemens VersiCharge AC Series EV Chargers have emerged as essential infrastructure for the global transition toward electric mobility, playing a pivotal role in both commercial and residential sectors. Known for their robust engineering and feature-rich design, these charging systems are found worldwide and supported by Siemens’ long-standing reputation for reliability. However, as smart charging stations become integral parts of broader energy and transportation networks, cyber risks associated with these devices draw mounting scrutiny. In May 2025, a new series of vulnerabilities—CVE-2025-31929 and CVE-2025-31930—surfaced, prompting significant attention from both security professionals and industry operators.

Electric vehicle charging station with a connected charging cable during sunset.
Siemens VersiCharge: The Backbone of Modern EV Charging​

Electric Vehicle (EV) infrastructure has evolved rapidly, with Siemens’ VersiCharge AC Series often positioned at the forefront. These chargers, designed for various deployment scenarios (including home garages, fleet depots, commercial and municipal parking), support both single-phase (7.4kW) and three-phase (22kW, and up to 80A) operation. Their modular architecture enables integration with payment systems, load management, and remote monitoring, making them favored choices for large-scale rollouts.
However, this flexible connectivity—while enabling features such as over-the-air (OTA) updates and device management—simultaneously opens attack pathways if not rigorously secured. The latest advisories, therefore, bring into sharp relief the challenges inherent in balancing accessibility, user convenience, and enterprise-grade security in critical energy assets.

Executive Summary of the 2025 Vulnerabilities​

In May 2025, Siemens disclosed two critical vulnerabilities affecting a wide array of VersiCharge products:
  • CVE-2025-31929: “Missing Immutable Root of Trust in Hardware”
  • CVE-2025-31930: “Initialization of a Resource with an Insecure Default”
Both issues were rated with significant severity according to the Common Vulnerability Scoring System (CVSS v4), with CVE-2025-31930 scoring particularly high at 8.7 for attack potential from adjacent networks with low complexity. If exploited, these weaknesses could allow attackers to gain unauthorized device control or manipulate EV charger firmware; the implications span from service interruptions to safety hazards and broader energy grid manipulation.
The affected models include dozens of product variants, covering both IEC and UL standards, each with distinct socket, cable, and communication configurations. A full list is maintained in Siemens’ ProductCERT Security Advisories and CISA’s industrial control system (ICS) advisories, ensuring transparency and traceability for asset owners.

Risk Evaluation: What Can Go Wrong?​

The technical analysis conducted by Siemens (acknowledged by CISA) outlines two primary exploit scenarios:
  • Physical Compromise via Missing Root of Trust (CVE-2025-31929):
    Devices lack an immutable hardware-based root of trust in specific microcontroller (M0) firmware. This means that a determined attacker with physical access could flash arbitrary firmware, evading cryptographic verification mechanisms. Such an attack could be used to alter device operation, disrupt charging services, or install persistent backdoors—potentially impacting safety, privacy, and billing accuracy.
  • Severity: CVSS v4 Base Score 4.1 (Physical access required; high impact on integrity, minor on confidentiality/availability)
  • Scope: All device variants listed in Siemens’ advisory
  • Network Attack via Insecure Defaults (CVE-2025-31930):
    Devices ship with Modbus network services enabled by default and no robust authentication. This exposes a straightforward path for attackers within the same network (‘adjacent network’ in CVSS terminology) to remotely control charger functions—including enabling/disabling charging, modifying setpoints, or launching denial-of-service conditions.
  • Severity: CVSS v4 Base Score 8.7 (Attack requires only network access; high impact across confidentiality, integrity, and availability)
  • Scope: Units with obsolete or unpatched firmware (pre-V2.135), as well as certain product revisions still in distribution
These vulnerabilities underscore the systemic risks posed by insecure configurations and insufficient hardware-based security mechanisms in smart infrastructure. Given the role of EV chargers in supporting both commercial fleets and private transportation, coordinated exploitation could affect large numbers of vehicles and, by extension, critical mobility and energy services.

Technical Details: Breaking Down the CVEs​

CVE-2025-31929: Missing Immutable Root of Trust in Hardware (CWE-1326)​

A root of trust is a foundational security building block, enabling cryptographic validation of firmware before execution. In the affected VersiCharge units, the absence of this immutable anchor—especially in the context of STMicroelectronics ARM Cortex-M0 microcontrollers—means that firmware updates or replacements are not reliably validated for authenticity.
Exploit Scenario:
An attacker with even brief physical access can reprogram the microcontroller's flash memory, substituting Siemens-provided code with malicious variants. Attackers could, for instance:
  • Disrupt local charging operations,
  • Leak sensitive operational metrics,
  • Install "stay-behind" malware for later remote access.
Mitigation Roadblock:
For a large subset of models, Siemens stated, “currently no fix is planned.” This means affected organizations must rely on physical protections and operational controls, as hardware retrofitting or field updates are impractical or potentially cost-prohibitive for legacy devices.

CVE-2025-31930: Initialization of a Resource with an Insecure Default (CWE-1188)​

Perhaps the more immediately exploitable risk, CVE-2025-31930 centers on network-exposed services configured with insecure defaults. Modbus—a decades-old industrial protocol—fails to require any authentication, and its exposure invites abuse. Many VersiCharge units, as shipped, had this service activated and unprotected.
Exploit Scenario:
An attacker simply needs network proximity (e.g., unauthorized Wi-Fi, compromised LAN/VLAN, or piggybacking on public charging infrastructure) to issue Modbus commands. Potential consequences include:
  • Unauthorized enable/disable of charging sessions
  • Changing charger parameters (risking device abuse or battery damage)
  • Denial of service or disruption of critical energy systems
As of the most recent advisory, Siemens has addressed this in newer firmware (V2.135 and later). Units connected to Siemens’ Device Management can receive the fix as an over-the-air update, but legacy or isolated deployments may remain exposed.

Critical Infrastructure Implications and Real-World Risks​

These vulnerabilities are not hypothetical. The energy sector, as a pillar of critical infrastructure, is increasingly targeted due to its direct societal, economic, and national security relevance. With electric vehicles now ubiquitous in corporate fleets, public transit, and emergency services, compromised charging stations could have cascading effects.
  • Fleet Operators: Orchestrated attacks could disrupt time-sensitive operations for delivery vans, buses, or emergency vehicles.
  • Public Charging: Mass disabling or manipulation of public charging points could erode public trust and stall adoption of sustainable transport.
  • Grid Interaction: With some units supporting grid-aware functions, adversarial control could potentially influence grid demand and stability.
It is notable, however, that no known public exploitation of these specific vulnerabilities has been reported as of the latest CISA advisory. Nonetheless, the low complexity of network-based attacks and the physical accessibility of many deployment scenarios warrant urgent attention.

Mitigation Guidance: What Users and Operators Must Do​

Siemens and CISA recommend a layered, defense-in-depth approach. Remediation falls into two categories: software updates and operational best practices.

Immediate Remediation Steps​

  • Patch and Update: For all device types where a fix is available, update to firmware version V2.135 or later. For units connected to Siemens’ Device Management, OTA updates should be automatically pushed if the charger is online and fully commissioned.
  • For those with isolated deployments or custom integrations, make arrangements through Siemens Customer Support for guidance on offline updates or migration strategies.
  • Physical Security: For devices without available fixes, heighten physical access controls:
  • Install chargers in secured, monitored areas.
  • Employ enclosure tamper detection where feasible.
  • Conduct regular inspections for unauthorized access or hardware modification.

Network and Environmental Controls​

  • Network Segmentation: Place EV chargers on isolated VLANs or dedicated networks, segregated from business IT or public access points.
  • Firewalling: Restrict all Modbus TCP/UDP/IP ports and unnecessary management protocols. Only grant network access to required management systems, preferably over VPN with multi-factor authentication.
  • Disabling Unused Services: (Where possible) disable Modbus and other nonessential services, especially on units pending firmware updates.

Broader Cybersecurity Recommendations​

CISA emphasizes the following best practices, which align with established ICS defense guidance:
  • Keep all ICS and OT assets off the public internet unless explicitly required and heavily protected.
  • Monitor network activity for anomalous behaviors targeting charger endpoints.
  • Employ secure remote access tools, recognizing that even VPNs carry risk if endpoints are compromised.
  • Conduct regular risk assessments tailored to the operational context (fleet depot, public, home, etc.).
Siemens additionally offers operational guidelines and readiness assessments through its Industrial Security portal, advocating industry standards like IEC 62443 for device and system protection.

Strengths and Positive Developments in the Response​

While the vulnerabilities themselves are serious, several aspects of Siemens’ and CISA’s response stand out:
  • Transparency: Siemens rapidly disclosed affected models and mitigations, working with CISA and global CERT authorities. This enabled asset owners to make informed decisions promptly.
  • OTA Update Capability: The inclusion of over-the-air firmware updates in many recent VersiCharge deployments dramatically improves time-to-patch metrics, an area where ICS environments have often lagged.
  • Comprehensive Advisory: Both Siemens and CISA provided detailed remediation paths, including explicit device SKUs, CVE mapping, and best practice resources—an approach that should become the industry standard.
Furthermore, to date, there is no evidence of these vulnerabilities being exploited in the wild, which speaks at least in part to the effectiveness of segmentation and physical controls in many current deployments.

Notable Weaknesses and Ongoing Risks​

Despite the proactive disclosure, several unresolved issues persist:
  • No Fix for Legacy Hardware: For the majority of afflicted SKUs, especially those released prior to recent hardware platforms, Siemens has stated that “no fix is planned.” Operators of these devices must rely indefinitely on compensating controls.
  • Insecure Defaults as a Lingering Industry Problem: That Modbus and similar unauthenticated services remain enabled by default on new deployments reflects a broader challenge in ICS and smart device security culture—usability too often trumps security in initial configurations.
  • Device Lifecycle Concerns: With EV charging stations often expected to remain in operation for a decade or more, the long tail of legacy exposure is significant. Asset owners must consider both replacement and accelerated retirement strategies for unsupported models.

Broader Lessons for Smart Infrastructure Security​

The Siemens VersiCharge vulnerabilities epitomize the “IT/OT convergence” challenge—where operational technologies increasingly adopt IT-like features (remote management, edge intelligence, integration with cloud platforms) without always inheriting the security rigor expected of IT products.
Critical infrastructure stakeholders should take this as a case study to:
  • Insist on immutable hardware roots of trust for all new device purchases.
  • Mandate authenticated, encrypted, and user-configurable network service profiles out of the box.
  • Expect ongoing security lifecycles—clearly published end-of-support dates, automated patching, and migration paths for obsolete hardware.
Government and regulatory authorities, for their part, are likely to intensify requirements for secure-by-design products, particularly in the realm of energy and transport.

The Path Forward: Turning Risk into Resilience​

For operators of Siemens VersiCharge (and similar charging infrastructure), a comprehensive plan should include:
  • Immediate identification of all deployed VersiCharge models and their current firmware version.
  • Prompt prioritization of patching where fixes exist—especially for public/commercial chargers or critical fleets.
  • For units without fixes, layering detailed physical and network controls as outlined above.
  • Long-term planning for hardware lifecycle management, including budgetary allocation for phased device replacement or upgrades to units supporting secure boot and authenticated network services.
  • Ongoing operator training in ICS cyber hygiene—including social engineering awareness—to reduce risk of both remote and insider-driven compromise.
Above all, this incident is an important reminder that the energy transition and digitalization journey—while offering huge benefits—demands continuous vigilance. As EV charging and other distributed energy resources proliferate, the attack surface grows. Only a culture that integrates security at every layer—from silicon to cloud—will safeguard the future of electric mobility and critical infrastructure.

Conclusion​

The Siemens VersiCharge AC Series vulnerabilities of 2025 represent a pivotal moment in the security maturity of smart infrastructure. They highlight both persistent challenges—legacy device insecurity, inadequate default configurations—and the value of coordinated, transparent vulnerability disclosure and response.
The window of risk for many deployments remains open, especially where legacy hardware or insecure network environments persist. Ultimately, it is the shared responsibility of manufacturers, asset owners, and policymakers to ensure that innovation in energy and mobility does not outpace the essential foundations of security and resilience. For anyone tasked with operating or securing EV infrastructure, Siemens’ advisory and CISA’s guidance are required reading—and their lessons will echo across all of smart infrastructure in the years to come.

Source: CISA Siemens VersiCharge AC Series EV Chargers | CISA
 

Back
Top