Sign-up

ID

VAR-202506-0586


CVE

CVE-2025-6678


TITLE

(Pwn2Own) Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability

Trust: 0.7

sources: ZDI: ZDI-25-342

DESCRIPTION

Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Pile API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-26352. Autel MaxiCharger AC Wallbox Commercial is a smart AI electric vehicle charger from Autel, a US company

Trust: 2.07

sources: NVD: CVE-2025-6678 // ZDI: ZDI-25-342 // CNVD: CNVD-2025-14953

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-14953

AFFECTED PRODUCTS

vendor:autelmodel:maxicharger ac wallbox commercialscope: - version: -

Trust: 0.7

vendor:autelmodel:maxicharger ac wallbox commercial <v1.39.51scope: - version: -

Trust: 0.6

vendor:autelmodel:maxicharger ac wallbox commercial <v1.56.51scope: - version: -

Trust: 0.6

sources: ZDI: ZDI-25-342 // CNVD: CNVD-2025-14953

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com: CVE-2025-6678
value: HIGH

Trust: 1.0

ZDI: ZDI-25-342
value: HIGH

Trust: 0.7

CNVD: CNVD-2025-14953
value: HIGH

Trust: 0.6

CNVD: CNVD-2025-14953
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

zdi-disclosures@trendmicro.com: CVE-2025-6678
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.0

ZDI: ZDI-25-342
baseSeverity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-25-342 // CNVD: CNVD-2025-14953 // NVD: CVE-2025-6678

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

sources: NVD: CVE-2025-6678

PATCH

title:Patch for Autel MaxiCharger AC Wallbox Commercial Access Control Error Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/704561

Trust: 0.6

sources: CNVD: CNVD-2025-14953

EXTERNAL IDS

db:ZDIid:ZDI-25-342

Trust: 2.3

db:NVDid:CVE-2025-6678

Trust: 1.6

db:ZDI_CANid:ZDI-CAN-26352

Trust: 0.7

db:CNVDid:CNVD-2025-14953

Trust: 0.6

sources: ZDI: ZDI-25-342 // CNVD: CNVD-2025-14953 // NVD: CVE-2025-6678

REFERENCES

url:https://www.zerodayinitiative.com/advisories/zdi-25-342/

Trust: 1.6

sources: CNVD: CNVD-2025-14953 // NVD: CVE-2025-6678

CREDITS

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)

Trust: 0.7

sources: ZDI: ZDI-25-342

SOURCES

db:ZDIid:ZDI-25-342
db:CNVDid:CNVD-2025-14953
db:NVDid:CVE-2025-6678

LAST UPDATE DATE

2025-07-04T19:31:14.052000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-25-342date:2025-06-11T00:00:00
db:CNVDid:CNVD-2025-14953date:2025-07-03T00:00:00
db:NVDid:CVE-2025-6678date:2025-06-26T18:57:43.670

SOURCES RELEASE DATE

db:ZDIid:ZDI-25-342date:2025-06-11T00:00:00
db:CNVDid:CNVD-2025-14953date:2025-07-03T00:00:00
db:NVDid:CVE-2025-6678date:2025-06-25T18:15:25.507