Back to Intelligence

How to Defend Against Unauthorized Access in Siemens Heliox EV Chargers

SA
Security Arsenal Team
March 25, 2026
4 min read

Introduction

Operational Technology (OT) security teams face a growing challenge as smart infrastructure, such as Electric Vehicle (EV) chargers, becomes increasingly interconnected. A recent advisory from CISA highlights a specific security concern in Siemens Heliox EV Chargers. Identified as CVE-2025-27769, this vulnerability underscores the importance of maintaining strict access controls even in physical hardware interfaces.

For defenders, the primary risk is the potential bypass of security boundaries. If left unpatched, this vulnerability could allow an attacker to interact with unauthorized services on the device via the charging cable. This post provides the necessary intelligence to detect affected assets and remediate the risk effectively.

Technical Analysis

CVE ID: CVE-2025-27769 Vulnerability Type: Improper Restriction of Communication Channel to Intended Endpoints (CWE-940) CVSS v3 Base Score: 2.6 (Low) Affected Products:

  • Heliox Flex 180 kW EV Charging Station
  • Heliox Mobile DC 40 kW EV Charging Station

The vulnerability stems from improper access control within the device's software architecture. Specifically, the system fails to adequately restrict the communication channel to its intended endpoints. Consequently, an attacker with physical access to the charging cable could manipulate the connection to reach services that should be restricted.

While the CVSS score is currently rated Low (likely due to the requirement for physical access), in a Critical Manufacturing environment, any unauthorized access to device services can serve as a pivot point for further attacks or operational disruption. Siemens has addressed this issue by releasing firmware updates that enforce proper restrictions on communication channels.

Defensive Monitoring

To protect your organization, security teams must first identify if affected Siemens Heliox models are deployed within the network. Since these devices are OT assets, they may not always appear in standard IT asset inventories.

The following scripts and queries can assist defenders in identifying potential devices and verifying logs for suspicious activity associated with the charging interfaces.

KQL Query for Microsoft Sentinel

Use this KQL query to hunt for Siemens or Heliox devices appearing in your syslog or network heartbeat logs. This helps inventory devices communicating on the network.

Script / Code
Syslog
| where ProcessName contains "httpd" or ProcessName contains "nginx" // Common web servers used in device management
| extend DeviceVendor = extract(@'vendor=([^\s]+)', 1, Message)
| extend DeviceModel = extract(@'model=([^\s]+)', 1, Message)
| where DeviceVendor =~ "Siemens" or DeviceModel contains "Heliox"
| project TimeGenerated, ComputerIP, DeviceVendor, DeviceModel, Message
| summarize count() by DeviceModel, ComputerIP

Bash Script for Network Discovery

If your security team manages the network segment where EV chargers are deployed, you can use this bash script to scan for open web management interfaces commonly associated with these devices. Note: Always obtain proper authorization before scanning.

Script / Code
#!/bin/bash
# Scan for Siemens Heliox EV Chargers on a local subnet
# Usage: ./scan_chargers.sh <subnet>
# Example: ./scan_chargers.sh 192.168.1.0/24

SUBNET=$1
if [ -z "$SUBNET" ]; then
  echo "Usage: $0 <subnet>"
  exit 1
fi

echo "Scanning $SUBNET for potential web interfaces on port 80/443..."

# Scan for common web management ports
nmap -p80,443,8080 --open -oG - $SUBNET | grep "Host: " | awk '{print $2}' > /tmp/active_ips.txt

while read -r ip; do
  echo "Checking $ip for device headers..."
  # Attempt to grab server headers
  curl -s -I --connect-timeout 2 http://$ip 2>/dev/null | grep -i "server" &
done < /tmp/active_ips.txt

wait
echo "Scan complete."

Remediation

Siemens has released updates to mitigate the vulnerability identified in CVE-2025-27769. Security Arsenal recommends the following immediate actions:

  1. Update Firmware: Siemens advises all users of the affected Heliox Flex 180 kW and Heliox Mobile DC 40 kW charging stations to update to the latest firmware versions immediately. Refer to the official Siemens advisory for the specific version numbers applicable to your region and hardware revision.

  2. Review Access Controls: While the firmware update addresses the software flaw, administrators should review physical access to the charging stations. Ensure that charging cables and ports are located in secure, monitored areas to reduce the risk of physical tampering.

  3. Network Segmentation: Ensure EV chargers are isolated on a dedicated VLAN or separate network segment. This prevents a compromised device from being used as a jump host to access critical manufacturing systems or the broader corporate network.

  4. Inventory Verification: Update your asset management system to reflect the patch status of these devices, ensuring compliance with internal vulnerability management policies.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectionics-scadasiemenspatch-managementev-chargers

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action