CVE-2025-27769
Improper Access Control in Heliox EV Chargers Enables Unauthorized Access
Publication date: 2026-03-10
Last updated on: 2026-03-10
Assigner: Siemens AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| heliox | flex_180_kw_ev_charging_station | to F4.11.1 (exc) |
| heliox | mobile_dc_40_kw_ev_charging_station | to L4.10.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-923 | The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Heliox Flex 180 kW and Heliox Mobile DC 40 kW EV Charging Stations running firmware versions prior to F4.11.1 and L4.10.1 respectively. It is caused by improper access control, which allows an attacker to reach unauthorized services through the charging cable.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could access unauthorized services on the affected EV charging stations via the charging cable. This could potentially lead to unauthorized communication or actions within the device, although the impact is rated low with a CVSS v3.1 base score of 2.6, indicating limited confidentiality impact and no integrity or availability impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate the vulnerability in Heliox EV Chargers, Siemens recommends updating the affected devices to the latest firmware versions: F4.11.1 or later for the Heliox Flex 180 kW and L4.10.1 or later for the Heliox Mobile DC 40 kW. Firmware updates are available via over-the-air (OTA) updates by contacting Siemens customer support.'}, {'type': 'paragraph', 'content': "Additionally, it is advised to protect network access to these devices using appropriate security mechanisms and to configure the operational environment according to Siemens' Industrial Security guidelines."}, {'type': 'paragraph', 'content': 'Further product-specific mitigations are detailed in the Siemens advisory and support can be obtained via Siemens ProductCERT.'}] [1]