Executive Summary
In October 2025, ABB disclosed a heap-based buffer overflow vulnerability (CVE-2025-5517) affecting multiple models of its Terra AC wallbox electric vehicle chargers. This flaw could allow attackers to execute arbitrary code, cause denial-of-service conditions, or gain unauthorized access. Exploitation requires either a man-in-the-middle position with unencrypted communication or a compromised Charging Station Management System (CSMS). ABB has released firmware updates to address this issue and recommends users update their devices promptly. This incident underscores the critical importance of securing industrial control systems, especially as electric vehicle infrastructure becomes more widespread. Organizations should ensure encrypted communications and regularly update firmware to mitigate such vulnerabilities.
Why This Matters Now
The increasing adoption of electric vehicle charging infrastructure highlights the need for robust cybersecurity measures. Vulnerabilities like CVE-2025-5517 demonstrate potential risks to critical infrastructure, emphasizing the urgency for organizations to implement secure communication protocols and timely software updates to protect against emerging threats.
Attack Path Analysis
An attacker exploits a heap-based buffer overflow vulnerability in ABB Terra AC wallbox devices by sending specially crafted OCPP messages over unencrypted HTTP connections, leading to remote code execution. The attacker then escalates privileges within the device to gain administrative control. Utilizing this control, the attacker moves laterally to other connected devices within the network. A command and control channel is established to maintain persistent access and control over the compromised devices. Sensitive data is exfiltrated from the devices to an external server. Finally, the attacker disrupts the charging station operations, causing denial of service and potential physical damage.
Kill Chain Progression
Initial Compromise
Description
An attacker exploits a heap-based buffer overflow vulnerability in ABB Terra AC wallbox devices by sending specially crafted OCPP messages over unencrypted HTTP connections, leading to remote code execution.
Related CVEs
CVE-2025-5517
CVSS 6.8A heap-based buffer overflow vulnerability in ABB Terra AC wallbox allows an attacker to potentially take remote control of the product and alter firmware behavior.
Affected Products:
ABB Terra AC wallbox (UL40/80A) – <=1.8.32
ABB Terra AC wallbox (UL32A) – <=1.8.2
ABB Terra AC wallbox (MID/CE) – <=1.8.32
ABB Terra AC wallbox (JP) – <=1.8.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploitation of Remote Services
Command-Line Interface
Modify Parameter
Brute Force I/O
Activate Firmware Update Mode
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Flaw Remediation
Control ID: SI-2
PCI DSS 4.0 – System and Application Security
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Device Security
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
Electric vehicle charging infrastructure faces critical heap overflow vulnerabilities in ABB Terra AC systems, enabling remote control and firmware manipulation through OCPP protocol exploitation.
Utilities
Electric grid charging networks vulnerable to remote attacks on ABB Terra AC wallboxes, potentially disrupting EV charging services and compromising energy distribution infrastructure security.
Transportation
EV charging station networks face heap-based buffer overflow risks allowing attackers remote control of Terra AC chargers, threatening transportation electrification infrastructure and service availability.
Oil/Energy/Solar/Greentech
Clean energy charging infrastructure compromised by ABB Terra AC vulnerabilities, exposing electric vehicle charging networks to remote attacks and potential service disruption threats.
Sources
- ABB Terra AChttps://www.cisa.gov/news-events/ics-advisories/icsa-26-146-01Verified
- ABB Terra AC wallbox Vulnerability Advisoryhttps://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A8948&LanguageCode=en&DocumentPartId=PDF&Action=LaunchVerified
- CVE-2025-5517 Detail - NVDhttps://nvd.nist.gov/vuln/detail/CVE-2025-5517Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is relevant to this incident as it could limit the attacker's ability to move laterally, establish command and control channels, and exfiltrate data, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the vulnerability may be constrained by limiting unencrypted HTTP traffic to the device.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may be limited by restricting access to administrative functions based on strict identity verification.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement could be constrained by segmenting network traffic and enforcing strict communication policies between devices.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels may be restricted by monitoring and controlling outbound communications from devices.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data could be limited by enforcing strict egress policies and monitoring outbound data transfers.
While CNSF may not prevent the initial compromise, it could limit the attacker's ability to propagate and cause widespread disruption, thereby reducing the overall impact on charging station operations.
Impact at a Glance
Affected Business Functions
- Electric Vehicle Charging Services
- Energy Management Systems
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of operational data related to charging sessions and user information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement encrypted communication protocols (e.g., HTTPS) to secure data in transit and prevent exploitation of unencrypted traffic.
- • Deploy East-West Traffic Security controls to monitor and restrict lateral movement within the network.
- • Utilize Zero Trust Segmentation to enforce least privilege access and limit the attacker's ability to escalate privileges.
- • Establish Multicloud Visibility & Control mechanisms to detect and respond to anomalous interactions and potential command and control activities.
- • Apply Egress Security & Policy Enforcement to prevent unauthorized data exfiltration and mitigate potential data loss.
