CVE-2025-27769 Siemens CVE debrief

Who should care

Operators, maintainers, and integrators responsible for Siemens Heliox Flex 180 kW EV Charging Station systems below F4.11.1 and Heliox Mobile DC 40 kW EV Charging Station systems below L4.10.1 should review this advisory. Site security teams and EV charging service providers should also prioritize it where physical access to charging equipment is possible.

Technical summary

The advisory describes an improper access control condition in affected Siemens Heliox EV charging stations. According to the supplied CVSS vector (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N), exploitation requires physical access, has low attack complexity, and can impact confidentiality at a limited level while not indicating integrity or availability impact in the base score. The reported attack path is via the charging cable, which suggests an unauthorized local interface or service exposure rather than a network-only weakness.

Defensive priority

Low to moderate. The issue is physically reachable and limited in measured impact, but it affects safety- and availability-relevant charging infrastructure and should still be remediated promptly at sites with public or semi-public access.

Recommended defensive actions

• Contact Siemens customer support for patch information and apply the OTA update guidance provided in the advisory.
• Inventory deployed Heliox Flex 180 kW EV Charging Station and Heliox Mobile DC 40 kW EV Charging Station assets and compare installed versions against the affected thresholds.
• Restrict physical access to charging equipment and cable interfaces where feasible, especially at unattended sites.
• Monitor Siemens/CISA advisory updates for any follow-on guidance or revised remediation details.
• Validate that local operational controls and maintenance procedures limit unauthorized use of charging infrastructure.

Evidence notes

This debrief is based on the supplied CISA CSAF source item for ICSA-26-071-05 and its Siemens ProductCERT reference set. The source description states: 'Affected devices contain improper access control that could allow an attacker to reach unauthorized services via the charging cable.' The source metadata lists the affected products and version constraints, the remediation note directs customers to contact support for patch information via OTA update, and the CVSS vector is provided as CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N. Publication timing is taken from the supplied CVE and advisory dates: 2026-03-10 initial publication and 2026-03-12 republication/revision.

Official resources