Sign-up

ID

VAR-202506-0586


CVE

CVE-2025-6678


TITLE

plural  autel  Vulnerability related to lack of authentication for critical functions in the product

Trust: 0.8

sources: JVNDB: JVNDB-2025-013671

DESCRIPTION

Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Pile API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-26352. maxicharger ac elite business c50 firmware, MaxiCharger AC Pro firmware, MaxiCharger AC Ultra firmware etc. Autel MaxiCharger AC Wallbox Commercial is a smart AI electric vehicle charger from Autel, a US company

Trust: 2.79

sources: NVD: CVE-2025-6678 // JVNDB: JVNDB-2025-013671 // ZDI: ZDI-25-342 // CNVD: CNVD-2025-14953

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-14953

AFFECTED PRODUCTS

vendor:autelmodel:maxicharger ac ultrascope:ltversion:1.56.51

Trust: 1.0

vendor:autelmodel:maxicharger dc compact pedestalscope:ltversion:1.56.51

Trust: 1.0

vendor:autelmodel:maxicharger dc fastscope:ltversion:1.56.51

Trust: 1.0

vendor:autelmodel:maxicharger dc compact mobilescope:ltversion:1.39.51

Trust: 1.0

vendor:autelmodel:maxicharger dh480scope:ltversion:1.56.51

Trust: 1.0

vendor:autelmodel:maxicharger dc hipowerscope:ltversion:1.39.51

Trust: 1.0

vendor:autelmodel:maxicharger single chargerscope:ltversion:1.39.51

Trust: 1.0

vendor:autelmodel:maxicharger ac proscope:ltversion:1.39.51

Trust: 1.0

vendor:autelmodel:maxicharger ac elite business c50scope:ltversion:1.56.51

Trust: 1.0

vendor:autelmodel:maxicharger dc compact pedestalscope:ltversion:1.39.51

Trust: 1.0

vendor:autelmodel:maxicharger single chargerscope:ltversion:1.56.51

Trust: 1.0

vendor:autelmodel:maxicharger ac ultrascope:ltversion:1.39.51

Trust: 1.0

vendor:autelmodel:maxicharger dc fastscope:ltversion:1.39.51

Trust: 1.0

vendor:autelmodel:maxicharger dc hipowerscope:ltversion:1.56.51

Trust: 1.0

vendor:autelmodel:maxicharger dh480scope:ltversion:1.39.51

Trust: 1.0

vendor:autelmodel:maxicharger ac proscope:ltversion:1.56.51

Trust: 1.0

vendor:autelmodel:maxicharger dc compact mobilescope:ltversion:1.56.51

Trust: 1.0

vendor:autelmodel:maxicharger ac elite business c50scope:ltversion:1.39.51

Trust: 1.0

vendor:autelmodel:maxicharger dc hipowerscope: - version: -

Trust: 0.8

vendor:autelmodel:maxicharger ac proscope: - version: -

Trust: 0.8

vendor:autelmodel:maxicharger dh480scope: - version: -

Trust: 0.8

vendor:autelmodel:maxicharger single chargerscope: - version: -

Trust: 0.8

vendor:autelmodel:maxicharger dc compact mobilescope: - version: -

Trust: 0.8

vendor:autelmodel:maxicharger ac ultrascope: - version: -

Trust: 0.8

vendor:autelmodel:maxicharger ac elite business c50scope: - version: -

Trust: 0.8

vendor:autelmodel:maxicharger dc fastscope: - version: -

Trust: 0.8

vendor:autelmodel:maxicharger dc compact pedestalscope: - version: -

Trust: 0.8

vendor:autelmodel:maxicharger ac wallbox commercialscope: - version: -

Trust: 0.7

vendor:autelmodel:maxicharger ac wallbox commercial <v1.39.51scope: - version: -

Trust: 0.6

vendor:autelmodel:maxicharger ac wallbox commercial <v1.56.51scope: - version: -

Trust: 0.6

sources: ZDI: ZDI-25-342 // CNVD: CNVD-2025-14953 // JVNDB: JVNDB-2025-013671 // NVD: CVE-2025-6678

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com: CVE-2025-6678
value: HIGH

Trust: 1.0

OTHER: JVNDB-2025-013671
value: HIGH

Trust: 0.8

ZDI: ZDI-25-342
value: HIGH

Trust: 0.7

CNVD: CNVD-2025-14953
value: HIGH

Trust: 0.6

CNVD: CNVD-2025-14953
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

zdi-disclosures@trendmicro.com: CVE-2025-6678
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.0

OTHER: JVNDB-2025-013671
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: ZDI-25-342
baseSeverity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-25-342 // CNVD: CNVD-2025-14953 // JVNDB: JVNDB-2025-013671 // NVD: CVE-2025-6678

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

problemtype:Lack of authentication for critical features (CWE-306) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2025-013671 // NVD: CVE-2025-6678

PATCH

title:Patch for Autel MaxiCharger AC Wallbox Commercial Access Control Error Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/704561

Trust: 0.6

sources: CNVD: CNVD-2025-14953

EXTERNAL IDS

db:NVDid:CVE-2025-6678

Trust: 3.2

db:ZDIid:ZDI-25-342

Trust: 3.1

db:JVNDBid:JVNDB-2025-013671

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-26352

Trust: 0.7

db:CNVDid:CNVD-2025-14953

Trust: 0.6

sources: ZDI: ZDI-25-342 // CNVD: CNVD-2025-14953 // JVNDB: JVNDB-2025-013671 // NVD: CVE-2025-6678

REFERENCES

url:https://www.zerodayinitiative.com/advisories/zdi-25-342/

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2025-6678

Trust: 0.8

sources: CNVD: CNVD-2025-14953 // JVNDB: JVNDB-2025-013671 // NVD: CVE-2025-6678

CREDITS

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)

Trust: 0.7

sources: ZDI: ZDI-25-342

SOURCES

db:ZDIid:ZDI-25-342
db:CNVDid:CNVD-2025-14953
db:JVNDBid:JVNDB-2025-013671
db:NVDid:CVE-2025-6678

LAST UPDATE DATE

2025-09-12T19:40:30.151000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-25-342date:2025-06-11T00:00:00
db:CNVDid:CNVD-2025-14953date:2025-07-03T00:00:00
db:JVNDBid:JVNDB-2025-013671date:2025-09-11T05:46:00
db:NVDid:CVE-2025-6678date:2025-09-10T14:46:24.847

SOURCES RELEASE DATE

db:ZDIid:ZDI-25-342date:2025-06-11T00:00:00
db:CNVDid:CNVD-2025-14953date:2025-07-03T00:00:00
db:JVNDBid:JVNDB-2025-013671date:2025-09-11T00:00:00
db:NVDid:CVE-2025-6678date:2025-06-25T18:15:25.507