PatchSiren cyber security CVE debrief
CVE-2024-8070 Schneider Electric CVE debrief
A high-severity vulnerability (CVSS 8.5) in Schneider Electric EVlink Home Smart and Schneider Charge products exposes test credentials in cleartext within firmware binaries. The CWE-312 flaw allows local attackers with physical or logical access to extract sensitive authentication material from firmware images. Schneider Electric has released automatic firmware updates through the Wiser application and eSetup commissioning tool to remediate affected devices.
- Vendor
- Schneider Electric
- Product
- EVlink Home Smart
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-08
- Original CVE updated
- 2024-10-08
- Advisory published
- 2024-10-08
- Advisory updated
- 2024-10-08
Who should care
Owners and operators of Schneider Electric EVlink Home Smart and Schneider Charge electric vehicle charging stations, facility managers with EV infrastructure, industrial control system security teams, and organizations managing distributed EV charging deployments.
Technical summary
CVE-2024-8070 is a CWE-312 (Cleartext Storage of Sensitive Information) vulnerability affecting Schneider Electric EVlink Home Smart (all versions prior to 2.0.6.0.0) and Schneider Charge (all versions prior to 1.13.4). The vulnerability exposes test credentials stored in cleartext within firmware binaries, potentially allowing attackers with local access to extract authentication material. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L) reflects local attack vector, low complexity, no privileges required, no user interaction, changed scope, high confidentiality impact, and low integrity/availability impact. Schneider Electric has deployed automatic firmware updates through the Wiser application; new installations receive fixes through the eSetup commissioning application.
Defensive priority
HIGH
Recommended defensive actions
- Verify EVlink Home Smart firmware is updated to version 2.0.6.0.0 or later through the Wiser application settings page
- Verify Schneider Charge firmware is updated to version 1.13.4 or later through the Wiser application or third-party supervision application
- Ensure charging stations remain connected to the Wiser application to receive automatic security updates
- For new installations, use the eSetup commissioning application which enforces the security fix
- Review CISA ICS recommended practices for securing industrial control systems and EV charging infrastructure
- Monitor Schneider Electric security advisories for additional updates to SEVD-2024-282-04
Evidence notes
CISA ICS advisory ICSA-25-023-03 documents this vulnerability with vendor confirmation from Schneider Electric. The advisory specifies affected firmware versions and automatic update mechanisms.
Official resources
-
CVE-2024-8070 CVE record
CVE.org
-
CVE-2024-8070 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-08