First published: Fri Jan 28 2022(Updated: )
A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)
Credit: cybersecurity@se.com
Affected Software | Affected Version | How to fix |
---|---|---|
Schneider-electric Evlink City Evc1s22p4 Firmware | <3.4.0.2 | |
Schneider-electric Evc1s22p4 Firmware | ||
Schneider Electric Evlink City EVC1S7P4 | <3.4.0.2 | |
Schneider-electric Evlink City Evc1s7p4 Firmware | ||
Schneider Electric Evw2 | <3.4.0.2 | |
Schneider Electric Evw2 | ||
Schneider Electric EVF2 | <3.4.0.2 | |
Schneider Electric EVF2 | ||
Schneider Electric EVP2PE Firmware | <3.4.0.2 | |
Schneider-electric Evp2pe Firmware | ||
Schneider Electric EVB1A | <3.4.0.2 | |
Schneider-electric Evlink Smart Wallbox Evb1a |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-22725 is classified as a medium risk vulnerability due to its potential for cross-site request forgery allowing user impersonation.
To fix CVE-2021-22725, update the affected Schneider Electric firmware to the latest version above 3.4.0.2.
CVE-2021-22725 affects various Schneider Electric products, including the EVlink City EVC1S22P and other similar firmware versions.
A Cross-Site Request Forgery is an attack that tricks a user into submitting unwanted actions on a web application where they are authenticated.
Exploiting CVE-2021-22725 could allow attackers to impersonate users and perform actions on the charging station web server without their consent.