Vestel AC Charger Sensitive Information Disclosure Vulnerability
Overview
CVE-2025-3606 is a high-severity vulnerability (CVSS 8.7) affecting Vestel AC Charger version 3.75.0. The flaw allows an attacker to access sensitive files containing credentials, which could lead to further device compromise. This vulnerability was publicly disclosed on April 24, 2025, and poses a significant risk to devices using this firmware version.
Technical Details
The vulnerability arises due to insecure file permissions or directory traversal issues in the Vestel AC Charger’s web interface or API. An attacker can exploit this flaw to read configuration files, logs, or credential stores without authentication, potentially gaining access to:
Admin passwords
API keys
Session tokens
Network configurations
This could allow an attacker to:
Take full control of the charging station
Manipulate charging schedules
Steal user data
Use the device as a pivot point in a larger attack
Attack Scenarios
Scenario 1: Unauthenticated File Access via Web Interface
An attacker discovers a Vestel AC Charger (v3.75.0) exposed to the internet.
They send a crafted HTTP request to access restricted files:
GET /../../etc/passwd HTTP/1.1 Host: <charger_IP>
The server responds with the contents of
/etc/passwd, confirming directory traversal.The attacker then retrieves
/var/config/credentials.db, extracting admin credentials.Using these credentials, the attacker logs in and modifies charging settings or deploys malware.
Scenario 2: Exploiting Misconfigured API Endpoints
The Vestel charger has an undocumented API endpoint:
GET /api/v1/config?file=credentials.json
An attacker sends this request and receives the credentials file in response.
With the extracted credentials, they authenticate via SSH or the web dashboard.
They then disable security controls or install a backdoor for persistent access.
Mitigation & Recommendations
Apply Vendor Patches – Vestel is expected to release a firmware update. Users should upgrade immediately.
Restrict Network Access – Ensure chargers are not exposed to the public internet. Use firewalls and VLAN segmentation.
File Permission Hardening – Restrict read/write access to sensitive files.
Monitor Logs for Suspicious Activity – Look for repeated failed access attempts or unusual file reads.
Credential Rotation – Change all passwords and API keys after patching.
Conclusion
CVE-2025-3606 is a critical information disclosure flaw that could lead to full device takeover. Organizations using Vestel AC Chargers should prioritize patching and implement network security controls to prevent exploitation.