Schneider Electric has released a warning to the public about three vulnerabilities that affect their EVLink Parking Devices. The devices are a line of electric charging stations that can be found around the country. The vulnerabilities affect versions 3.2.0-12_vi and earlier. The first vulnerability (CVE-2018-7800), is a hard-coded credentials vulnerability which allows an attacker to gain access to the device. The second vulnerability (CVE-2018-7801), could enable access with maximum privileges when remote code execution is carried out. The third vulnerability (CVE-2018-7802), is a SQL injection vulnerability that could give access to the web interface with full privileges. The first vulnerability is rated as critical, while the second is rated as high and the third is medium. The company stated that a patch could fix these issues and has been released to the clients of these devices.
Since a patch has been released for these vulnerabilities, anybody that has these devices should patch them immediately. Clients of these devices should also set up a firewall to block remote access except by authorized users in order to mitigate and prevent these types of attacks.