Severity
High
Analysis Summary
CVE-2025-3898 CVSS:7.1
Improper Input Validation vulnerability exists that could cause Denial of Service when an authenticated malicious user sends HTTPS request containing invalid data type to the webserver.
CVE-2025-5743 CVSS:7
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote control over the charging station when an authenticated user modifies configuration parameters on the web server.
CVE-2025-5742 CVSS:5.4
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an authenticated user modifies configuration parameters on the web server
CVE-2025-5741 CVSS:6.9
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file reads from the charging station. The exploitation of this vulnerability does require an authenticated session of the web server.
CVE-2025-5740 CVSS:8.6
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file writes when an unauthenticated user on the web server manipulates file path.
Impact
- Denial of Service
- Gain Access
- Cross-Site Scripting
Indicators of Compromise
CVE
CVE-2025-3898
CVE-2025-5743
CVE-2025-5742
CVE-2025-5741
CVE-2025-5740
Affected Vendors
Affected Products
- Schneider Electric Modicon Controllers M241/M251 5.3.12.51
- Schneider Electric Modicon Controllers M262 5.3.9.18
- Schneider Electric EVLink WallBox
Remediation
Refer to Schneider Electric Security Advisory for patch, upgrade, or suggested workaround information.