Schneider Electric EVlink Home Smart Cleartext Storage of Sensitive Information Vulnerability (CVE-2024-8070)

Schneider Electric Security Notification EVlink Home Smart and Schneider Charge 10 October 2024 Overview Schneider Electric is aware of a vulnerability with the potential disclosure of confidential information in its EVlink Home Smart and Schneider Charge charging stations. This issue is not related to any customer personal data, and the potential disclosure cannot be exploited to abuse either product. The vulnerability only pertains to remote test equipment and test features that are removed from production units. A remediation for affected charging stations has already been deployed to all connected units. Affected Products and Versions Vulnerability Details CVE ID: CVE-2024-8070 CVSS v3.1 Base Score: 8.5 CWE-312: A cleartext storage of sensitive information vulnerability exists, exposing test credentials in the firmware binary. It should be noted that this vulnerability does not enable any exploitation of the product, as the exposed information relates to remote test equipment and test features that are removed from production units. Note regarding vulnerability details: The severity of vulnerabilities was calculated using the CVSS Base metrics in version 3.1 (CVSS v3.1), without incorporating Temporal and Environmental metrics. Schneider Electric recommends that customers evaluate the CVSS Environmental metrics, which are specific to end-user organizations, and consider factors such as the presence of mitigations in their environment. Environmental metrics may refine the relative severity posed by the vulnerabilities described in this document within a customer’s environment. --- Document Reference Number: SEVD-2024-282-04 Page 1 of 4

Goal Reached Thanks to every supporter — we hit 100%!

Schneider Electric EVlink Home Smart Cleartext Storage of Sensitive Information Vulnerability (CVE-2024-8070)