The Hidden Danger in EV Charging Stations: Analyzing CVE-2025-27769

As the world accelerates toward electric vehicle (EV) adoption, the security of the charging infrastructure has become a paramount concern for the Critical Manufacturing and Transportation sectors. Recently, Siemens released a security advisory regarding a significant vulnerability in their Heliox EV Chargers. While the CVSS score may initially appear low, the implications for physical security and operational technology (OT) safety are worth a closer look.

The Vulnerability: CVE-2025-27769

Siemens ProductCERT identified an Improper Restriction of Communication Channel to Intended Endpoints (CWE-923), tracked as CVE-2025-27769, affecting specific models of Heliox EV Chargers. This vulnerability arises because the devices contain improper access control mechanisms. Specifically, an attacker with physical access to the charging cable could manipulate the connection to reach unauthorized services on the device.

Affected Products

The vulnerability specifically impacts the following hardware:

• Heliox Flex 180 kW EV Charging Station
• Heliox Mobile DC 40 kW EV Charging Station

Risk Assessment

This vulnerability has been assigned a CVSS v3.1 Base Score of 2.6 (LOW). The vector string is CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N.

While the score is low—largely because it requires Physical (AV:P) access to exploit—we must not dismiss it. In an OT environment, physical access controls cannot always be guaranteed, particularly for public charging stations or mobile units. Successful exploitation could allow an attacker to extract sensitive configuration data or interact with internal services that should be isolated from the physical charging interface.

Technical Analysis and Attack Vector

The core issue lies in how the charging station handles data transmission over the charging cable. The cable is designed to carry power and communication data (between the car and the charger). However, improper segmentation allows the communication channel to act as a bridge to internal device services that are not intended for public exposure.

If an attacker plugs a malicious device (e.g., a laptop equipped with a CAN bus interface or similar hardware) into the charging cable, they could bypass standard network perimeter defenses. Since the attack vector is physical, traditional network firewalls and IDS/IPS sensors placed on the corporate LAN would likely not see this traffic, making it a localized but potent threat.

Threat Hunting and Detection

Detecting physical access attempts via the charging cable is challenging for a SOC, as this traffic often does not traverse the standard IT network. However, security teams can hunt for anomalies if the EV chargers are connected to the network for management purposes. We should look for unexpected internal communications or deviations from standard protocols like OCPP (Open Charge Point Protocol).

1. KQL Query for Sentinel/Defender

Use the following query to hunt for devices communicating on non-standard ports or showing signs of unauthorized internal access attempts. This assumes you are ingesting firewall or network logs.

let Heliox_IP_Ranges = dynamic(["192.168.1.10", "192.168.1.11"]); // Add your charger IPs here
let Allowed_Ports = dynamic([443, 80, 8000, 9000]); // Common OCPP/Management ports
DeviceNetworkEvents
| where IPV4Addresses in~ (Heliox_IP_Ranges)
| where RemotePort !in (Allowed_Ports)
| where ActionType == "ConnectionAllowed" or ActionType == "ConnectionInitiated"
| project Timestamp, DeviceName, SourceIP, DestinationIP, RemotePort, Protocol
| order by Timestamp desc

2. Bash Script for Network Auditing

If you have visibility into the management network, you can use a simple Nmap scan to ensure that only necessary services are exposed on the chargers. Note: Only run this with proper authorization.

#!/bin/bash
# Audit Heliox Chargers for open ports

CHARGER_IPS=("192.168.1.10" "192.168.1.11")
CRITICAL_PORTS=("22" "23" "21") # SSH, Telnet, FTP - usually unnecessary on edge devices

for ip in "${CHARGER_IPS[@]}"; do
  echo "Scanning $ip for unexpected open ports..."
  nmap -p 1-65535 --open -T4 $ip | grep -E "(PORT|STATE)"
done

3. Python Log Correlator

This Python snippet helps correlate high-volume physical connection logs with network anomalies to identify potential physical tampering events.

import pandas as pd

def analyze_physical_tampering(charger_logs, network_logs):
    # Load logs (assuming CSV format for example)
    df_charger = pd.read_csv(charger_logs)
    df_network = pd.read_csv(network_logs)
    
    # Filter for physical connection errors or resets
    physical_events = df_charger[df_charger['event_type'] == 'cable_mismatch']
    
    # Merge with network logs based on timestamp and device ID
    # to see if a physical event coincided with network traffic
    correlated_events = pd.merge(
        physical_events, 
        df_network, 
        on=['device_id', 'timestamp'], 
        how='inner'
    )
    
    return correlated_events

# Usage: analyze_physical_tampering('charger_events.csv', 'network_traffic.csv')

Mitigation Strategies

Siemens has released Over-the-Air (OTA) updates to address this vulnerability. Security Arsenal recommends the following immediate actions:

1. Apply the Patch: Contact Siemens customer support immediately to receive the latest firmware version and apply the OTA update to all affected Heliox Flex 180 kW and Mobile DC 40 kW units.
2. Network Segmentation: Ensure EV chargers are on an isolated VLAN. They should not be able to communicate directly with critical industrial control systems or business servers.
3. Physical Security: Review the physical placement of charging stations. Ensure they are in well-lit, monitored areas where unauthorized physical access is deterred by CCTV or security personnel.
4. Disable Unused Services: If the chargers expose any management interfaces (SSH/Telnet) that are not required for operation, disable them via the device configuration.

Conclusion

While CVE-2025-27769 requires physical access, it serves as a reminder that in the world of OT and IoT, the "air gap" is a myth. Physical interfaces are simply another attack surface. By applying the Siemens patches and monitoring network traffic for anomalies, organizations can secure their charging infrastructure against both remote and physical threats.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub