Full Report
VersiCharge AC Series EV Chargers contain two vulnerabilities that could allow an attacker to gain control of the chargers through default Modbus port or execute arbitrary code by manipulating the M0 firmware. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple Flaws in Siemens VersiCharge AC Series EV Chargers
## CVE Details
**Vulnerability 1**
- CVE ID: CVE-2025-31930
- CVSS Score: 8.8 (High) [v3.1] / 8.7 (High) [v4.0]
- CWE: CWE-1188 (Initialization of a Resource with an Insecure Default)
**Vulnerability 2**
- CVE ID: CVE-2025-31929
- CVSS Score: 4.2 (Medium) [v3.1] / 4.1 (Medium) [v4.0]
- CWE: CWE-1326 (Missing Immutable Root of Trust in Hardware)
## Affected Systems
- **Products:** VersiCharge AC Series EV Chargers (Multiple models including IEC 1Ph 7.4kW, Parent/Child configurations, and Socket/Cable variants).
- **Versions:**
- CVE-2025-31930: All versions prior to V2.135.
- CVE-2025-31929: All versions.
- **Configurations:** Devices with default settings where Modbus is enabled or where physical access to the M0 hardware is possible.
## Vulnerability Description
- **CVE-2025-31930:** The affected devices ship with the Modbus service enabled by default. This allows an unauthorized user on the same local network to send commands to the charger, potentially resulting in unauthorized control of the charging process.
- **CVE-2025-31929:** The M0 hardware lacks an Immutable Root of Trust. This flaw allows an attacker with physical access to manipulate or replace firmware, leading to the execution of arbitrary code on the device.
## Exploitation
- **Status:** PoC availability or active exploitation not explicitly stated; reported by Southwest Research and USPS OIG.
- **Complexity:**
- CVE-2025-31930: **Low** (Service is on by default).
- CVE-2025-31929: **High** (Requires physical modification/access).
- **Attack Vector:**
- CVE-2025-31930: **Adjacent** (Requires local network access).
- CVE-2025-31929: **Physical**.
## Impact
- **Confidentiality:** High (for Modbus flaw); None (for Root of Trust flaw).
- **Integrity:** High (Full control over charger functions and firmware).
- **Availability:** High (Ability to disrupt charging services).
## Remediation
### Patches
- **V2.135:** Updates are available for certain models to address the default Modbus configuration.
- **No Fix Planned:** For CVE-2025-31929 (Hardware-based Root of Trust issue), no software fix is currently planned.
### Workarounds
- **Disable Modbus:** Commission the charger and associate it to a VersiCloud group with Modbus configured to **OFF**. Contact Siemens support if the setting status is unclear.
- **Network Isolation:** Protect network access to chargers using VLANs or firewalls to prevent unauthorized adjacent access.
- **Physical Security:** Ensure chargers are installed in secure locations to prevent physical tampering with the M0 hardware.
## Detection
- **Indicators of Compromise:** Unexpected Modbus traffic on the local network originating from unknown IP addresses.
- **Detection Methods:** Audit network configurations to verify if the Modbus port (typically TCP 502) is open and accessible to unauthorized segments.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-556937[.]html
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories