CVE-2025-5825
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-09-10
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| autel | maxicharger_ac_elite_business_c50_firmware | to 1.39.51 (exc) |
| autel | maxicharger_ac_elite_business_c50_firmware | to 1.56.51 (exc) |
| autel | maxicharger_ac_elite_business_c50 | * |
| autel | maxicharger_ac_pro_firmware | to 1.39.51 (exc) |
| autel | maxicharger_ac_pro_firmware | to 1.56.51 (exc) |
| autel | maxicharger_ac_pro | * |
| autel | maxicharger_ac_ultra_firmware | to 1.39.51 (exc) |
| autel | maxicharger_ac_ultra_firmware | to 1.56.51 (exc) |
| autel | maxicharger_ac_ultra | * |
| autel | maxicharger_dc_compact_mobile_firmware | to 1.39.51 (exc) |
| autel | maxicharger_dc_compact_mobile_firmware | to 1.56.51 (exc) |
| autel | maxicharger_dc_compact_mobile | * |
| autel | maxicharger_dc_compact_pedestal_firmware | to 1.39.51 (exc) |
| autel | maxicharger_dc_compact_pedestal_firmware | to 1.56.51 (exc) |
| autel | maxicharger_dc_compact_pedestal | * |
| autel | maxicharger_dc_fast_firmware | to 1.39.51 (exc) |
| autel | maxicharger_dc_fast_firmware | to 1.56.51 (exc) |
| autel | maxicharger_dc_fast | * |
| autel | maxicharger_dc_hipower_firmware | to 1.39.51 (exc) |
| autel | maxicharger_dc_hipower_firmware | to 1.56.51 (exc) |
| autel | maxicharger_dc_hipower | * |
| autel | maxicharger_dh480_firmware | to 1.39.51 (exc) |
| autel | maxicharger_dh480_firmware | to 1.56.51 (exc) |
| autel | maxicharger_dh480 | * |
| autel | maxicharger_single_charger_firmware | to 1.39.51 (exc) |
| autel | maxicharger_single_charger_firmware | to 1.56.51 (exc) |
| autel | maxicharger_single_charger | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1328 | Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5825 is a remote code execution vulnerability in the Autel MaxiCharger AC Wallbox Commercial charging stations. It arises because the firmware update process does not properly validate firmware images before applying them. An attacker must first pair a malicious Bluetooth device with the target system to exploit this flaw and execute arbitrary code on the device. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code on the affected charging station, potentially compromising the device's confidentiality, integrity, and availability. This could lead to unauthorized control or disruption of the charging station's operations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if an Autel MaxiCharger AC Wallbox Commercial charging station is present and if it has been paired with any unauthorized Bluetooth devices. Since exploitation requires pairing a malicious Bluetooth device, monitoring Bluetooth pairings and firmware update attempts on the device is critical. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting Bluetooth pairing to trusted devices only, monitoring and controlling firmware update processes to ensure only validated firmware is applied, and limiting network adjacency to the device to trusted users. Applying any available firmware updates or patches from the vendor that address this validation flaw is also recommended. [1]