Schneider Electric is warning users of multiple vulnerabilities in the EVLink Parking product including a “critical” vulnerability.
The critical vulnerability is caused by hard-coded credentials that allows an attacker to gain access to the device, according to a Dec. 20 security notification issued by the firm.
Schneider Electric also patched a “High” rated code Injection vulnerability which could also allow an attacker to gain access to the device as well as a “Medium” rated SQL Injection vulnerability which could give access to the web interface with full privileges.
The vulnerabilities affect EVLink Parking v3.2.0-12_v1 and earlier versions and researchers have already released a patch to address the bugs. Users may also set up a firewall to block remote/external access except by authorized users as a workaround or mitigation to reduce risk and best practices as always are strongly advised.