Schneider Electric EVLink WallBox Path Traversal Vulnerability Allowing Arbitrary File Reads

A path traversal vulnerability has been identified in the Schneider Electric EVLink WallBox, all versions. This vulnerability allows authenticated users to read arbitrary files from the charging station. The issue arises from improper limitations on file path handling, which could be exploited by manipulating file paths during an authenticated session on the web server.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the charging station, potentially allowing for information disclosure or manipulation of the charging station's operation.

Remediation

The EVLink WallBox has reached its end of life and is no longer supported. Customers are advised to upgrade to the EVLink Pro AC model. In the meantime, implement network segmentation and firewall rules to block unauthorized access to HTTP ports, choose strong passwords, and monitor access logs. For more information on cybersecurity best practices, refer to the Schneider Electric Recommended Cybersecurity Best Practices document.