The Siemens VersiCharge AC Series EV Chargers have emerged as essential infrastructure for the global transition toward electric mobility, playing a pivotal role in both commercial and residential sectors. Known for their robust engineering and feature-rich design, these charging systems are found worldwide and supported by Siemens’ long-standing reputation for reliability. However, as smart charging stations become integral parts of broader energy and transportation networks, cyber risks associated with these devices draw mounting scrutiny. In May 2025, a new series of vulnerabilities—CVE-2025-31929 and CVE-2025-31930—surfaced, prompting significant attention from both security professionals and industry operators.
Electric Vehicle (EV) infrastructure has evolved rapidly, with Siemens’ VersiCharge AC Series often positioned at the forefront. These chargers, designed for various deployment scenarios (including home garages, fleet depots, commercial and municipal parking), support both single-phase (7.4kW) and three-phase (22kW, and up to 80A) operation. Their modular architecture enables integration with payment systems, load management, and remote monitoring, making them favored choices for large-scale rollouts.
However, this flexible connectivity—while enabling features such as over-the-air (OTA) updates and device management—simultaneously opens attack pathways if not rigorously secured. The latest advisories, therefore, bring into sharp relief the challenges inherent in balancing accessibility, user convenience, and enterprise-grade security in critical energy assets.
The affected models include dozens of product variants, covering both IEC and UL standards, each with distinct socket, cable, and communication configurations. A full list is maintained in Siemens’ ProductCERT Security Advisories and CISA’s industrial control system (ICS) advisories, ensuring transparency and traceability for asset owners.
Exploit Scenario:
An attacker with even brief physical access can reprogram the microcontroller's flash memory, substituting Siemens-provided code with malicious variants. Attackers could, for instance:
For a large subset of models, Siemens stated, “currently no fix is planned.” This means affected organizations must rely on physical protections and operational controls, as hardware retrofitting or field updates are impractical or potentially cost-prohibitive for legacy devices.
Exploit Scenario:
An attacker simply needs network proximity (e.g., unauthorized Wi-Fi, compromised LAN/VLAN, or piggybacking on public charging infrastructure) to issue Modbus commands. Potential consequences include:
Critical infrastructure stakeholders should take this as a case study to:
The window of risk for many deployments remains open, especially where legacy hardware or insecure network environments persist. Ultimately, it is the shared responsibility of manufacturers, asset owners, and policymakers to ensure that innovation in energy and mobility does not outpace the essential foundations of security and resilience. For anyone tasked with operating or securing EV infrastructure, Siemens’ advisory and CISA’s guidance are required reading—and their lessons will echo across all of smart infrastructure in the years to come.
Source: CISA Siemens VersiCharge AC Series EV Chargers | CISA
Siemens VersiCharge: The Backbone of Modern EV Charging
Electric Vehicle (EV) infrastructure has evolved rapidly, with Siemens’ VersiCharge AC Series often positioned at the forefront. These chargers, designed for various deployment scenarios (including home garages, fleet depots, commercial and municipal parking), support both single-phase (7.4kW) and three-phase (22kW, and up to 80A) operation. Their modular architecture enables integration with payment systems, load management, and remote monitoring, making them favored choices for large-scale rollouts.However, this flexible connectivity—while enabling features such as over-the-air (OTA) updates and device management—simultaneously opens attack pathways if not rigorously secured. The latest advisories, therefore, bring into sharp relief the challenges inherent in balancing accessibility, user convenience, and enterprise-grade security in critical energy assets.
Executive Summary of the 2025 Vulnerabilities
In May 2025, Siemens disclosed two critical vulnerabilities affecting a wide array of VersiCharge products:- CVE-2025-31929: “Missing Immutable Root of Trust in Hardware”
- CVE-2025-31930: “Initialization of a Resource with an Insecure Default”
The affected models include dozens of product variants, covering both IEC and UL standards, each with distinct socket, cable, and communication configurations. A full list is maintained in Siemens’ ProductCERT Security Advisories and CISA’s industrial control system (ICS) advisories, ensuring transparency and traceability for asset owners.
Risk Evaluation: What Can Go Wrong?
The technical analysis conducted by Siemens (acknowledged by CISA) outlines two primary exploit scenarios:- Physical Compromise via Missing Root of Trust (CVE-2025-31929):
Devices lack an immutable hardware-based root of trust in specific microcontroller (M0) firmware. This means that a determined attacker with physical access could flash arbitrary firmware, evading cryptographic verification mechanisms. Such an attack could be used to alter device operation, disrupt charging services, or install persistent backdoors—potentially impacting safety, privacy, and billing accuracy. - Severity: CVSS v4 Base Score 4.1 (Physical access required; high impact on integrity, minor on confidentiality/availability)
- Scope: All device variants listed in Siemens’ advisory
- Network Attack via Insecure Defaults (CVE-2025-31930):
Devices ship with Modbus network services enabled by default and no robust authentication. This exposes a straightforward path for attackers within the same network (‘adjacent network’ in CVSS terminology) to remotely control charger functions—including enabling/disabling charging, modifying setpoints, or launching denial-of-service conditions. - Severity: CVSS v4 Base Score 8.7 (Attack requires only network access; high impact across confidentiality, integrity, and availability)
- Scope: Units with obsolete or unpatched firmware (pre-V2.135), as well as certain product revisions still in distribution
Technical Details: Breaking Down the CVEs
CVE-2025-31929: Missing Immutable Root of Trust in Hardware (CWE-1326)
A root of trust is a foundational security building block, enabling cryptographic validation of firmware before execution. In the affected VersiCharge units, the absence of this immutable anchor—especially in the context of STMicroelectronics ARM Cortex-M0 microcontrollers—means that firmware updates or replacements are not reliably validated for authenticity.Exploit Scenario:
An attacker with even brief physical access can reprogram the microcontroller's flash memory, substituting Siemens-provided code with malicious variants. Attackers could, for instance:
- Disrupt local charging operations,
- Leak sensitive operational metrics,
- Install "stay-behind" malware for later remote access.
For a large subset of models, Siemens stated, “currently no fix is planned.” This means affected organizations must rely on physical protections and operational controls, as hardware retrofitting or field updates are impractical or potentially cost-prohibitive for legacy devices.
CVE-2025-31930: Initialization of a Resource with an Insecure Default (CWE-1188)
Perhaps the more immediately exploitable risk, CVE-2025-31930 centers on network-exposed services configured with insecure defaults. Modbus—a decades-old industrial protocol—fails to require any authentication, and its exposure invites abuse. Many VersiCharge units, as shipped, had this service activated and unprotected.Exploit Scenario:
An attacker simply needs network proximity (e.g., unauthorized Wi-Fi, compromised LAN/VLAN, or piggybacking on public charging infrastructure) to issue Modbus commands. Potential consequences include:
- Unauthorized enable/disable of charging sessions
- Changing charger parameters (risking device abuse or battery damage)
- Denial of service or disruption of critical energy systems
Critical Infrastructure Implications and Real-World Risks
These vulnerabilities are not hypothetical. The energy sector, as a pillar of critical infrastructure, is increasingly targeted due to its direct societal, economic, and national security relevance. With electric vehicles now ubiquitous in corporate fleets, public transit, and emergency services, compromised charging stations could have cascading effects.- Fleet Operators: Orchestrated attacks could disrupt time-sensitive operations for delivery vans, buses, or emergency vehicles.
- Public Charging: Mass disabling or manipulation of public charging points could erode public trust and stall adoption of sustainable transport.
- Grid Interaction: With some units supporting grid-aware functions, adversarial control could potentially influence grid demand and stability.
Mitigation Guidance: What Users and Operators Must Do
Siemens and CISA recommend a layered, defense-in-depth approach. Remediation falls into two categories: software updates and operational best practices.Immediate Remediation Steps
- Patch and Update: For all device types where a fix is available, update to firmware version V2.135 or later. For units connected to Siemens’ Device Management, OTA updates should be automatically pushed if the charger is online and fully commissioned.
- For those with isolated deployments or custom integrations, make arrangements through Siemens Customer Support for guidance on offline updates or migration strategies.
- Physical Security: For devices without available fixes, heighten physical access controls:
- Install chargers in secured, monitored areas.
- Employ enclosure tamper detection where feasible.
- Conduct regular inspections for unauthorized access or hardware modification.
Network and Environmental Controls
- Network Segmentation: Place EV chargers on isolated VLANs or dedicated networks, segregated from business IT or public access points.
- Firewalling: Restrict all Modbus TCP/UDP/IP ports and unnecessary management protocols. Only grant network access to required management systems, preferably over VPN with multi-factor authentication.
- Disabling Unused Services: (Where possible) disable Modbus and other nonessential services, especially on units pending firmware updates.
Broader Cybersecurity Recommendations
CISA emphasizes the following best practices, which align with established ICS defense guidance:- Keep all ICS and OT assets off the public internet unless explicitly required and heavily protected.
- Monitor network activity for anomalous behaviors targeting charger endpoints.
- Employ secure remote access tools, recognizing that even VPNs carry risk if endpoints are compromised.
- Conduct regular risk assessments tailored to the operational context (fleet depot, public, home, etc.).
Strengths and Positive Developments in the Response
While the vulnerabilities themselves are serious, several aspects of Siemens’ and CISA’s response stand out:- Transparency: Siemens rapidly disclosed affected models and mitigations, working with CISA and global CERT authorities. This enabled asset owners to make informed decisions promptly.
- OTA Update Capability: The inclusion of over-the-air firmware updates in many recent VersiCharge deployments dramatically improves time-to-patch metrics, an area where ICS environments have often lagged.
- Comprehensive Advisory: Both Siemens and CISA provided detailed remediation paths, including explicit device SKUs, CVE mapping, and best practice resources—an approach that should become the industry standard.
Notable Weaknesses and Ongoing Risks
Despite the proactive disclosure, several unresolved issues persist:- No Fix for Legacy Hardware: For the majority of afflicted SKUs, especially those released prior to recent hardware platforms, Siemens has stated that “no fix is planned.” Operators of these devices must rely indefinitely on compensating controls.
- Insecure Defaults as a Lingering Industry Problem: That Modbus and similar unauthenticated services remain enabled by default on new deployments reflects a broader challenge in ICS and smart device security culture—usability too often trumps security in initial configurations.
- Device Lifecycle Concerns: With EV charging stations often expected to remain in operation for a decade or more, the long tail of legacy exposure is significant. Asset owners must consider both replacement and accelerated retirement strategies for unsupported models.
Broader Lessons for Smart Infrastructure Security
The Siemens VersiCharge vulnerabilities epitomize the “IT/OT convergence” challenge—where operational technologies increasingly adopt IT-like features (remote management, edge intelligence, integration with cloud platforms) without always inheriting the security rigor expected of IT products.Critical infrastructure stakeholders should take this as a case study to:
- Insist on immutable hardware roots of trust for all new device purchases.
- Mandate authenticated, encrypted, and user-configurable network service profiles out of the box.
- Expect ongoing security lifecycles—clearly published end-of-support dates, automated patching, and migration paths for obsolete hardware.
The Path Forward: Turning Risk into Resilience
For operators of Siemens VersiCharge (and similar charging infrastructure), a comprehensive plan should include:- Immediate identification of all deployed VersiCharge models and their current firmware version.
- Prompt prioritization of patching where fixes exist—especially for public/commercial chargers or critical fleets.
- For units without fixes, layering detailed physical and network controls as outlined above.
- Long-term planning for hardware lifecycle management, including budgetary allocation for phased device replacement or upgrades to units supporting secure boot and authenticated network services.
- Ongoing operator training in ICS cyber hygiene—including social engineering awareness—to reduce risk of both remote and insider-driven compromise.
Conclusion
The Siemens VersiCharge AC Series vulnerabilities of 2025 represent a pivotal moment in the security maturity of smart infrastructure. They highlight both persistent challenges—legacy device insecurity, inadequate default configurations—and the value of coordinated, transparent vulnerability disclosure and response.The window of risk for many deployments remains open, especially where legacy hardware or insecure network environments persist. Ultimately, it is the shared responsibility of manufacturers, asset owners, and policymakers to ensure that innovation in energy and mobility does not outpace the essential foundations of security and resilience. For anyone tasked with operating or securing EV infrastructure, Siemens’ advisory and CISA’s guidance are required reading—and their lessons will echo across all of smart infrastructure in the years to come.
Source: CISA Siemens VersiCharge AC Series EV Chargers | CISA