Analysis Summary

CVE-2025-3898 CVSS:7.1

Improper Input Validation vulnerability exists that could cause Denial of Service when an authenticated malicious user sends HTTPS request containing invalid data type to the webserver.

CVE-2025-5743 CVSS:7

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote control over the charging station when an authenticated user modifies configuration parameters on the web server.

CVE-2025-5742 CVSS:5.4

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an authenticated user modifies configuration parameters on the web server

CVE-2025-5741 CVSS:6.9

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file reads from the charging station. The exploitation of this vulnerability does require an authenticated session of the web server.

CVE-2025-5740 CVSS:8.6

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file writes when an unauthenticated user on the web server manipulates file path.

Impact

• Denial of Service
• Gain Access
• Cross-Site Scripting

Indicators of Compromise

CVE

• CVE-2025-3898

• CVE-2025-5743

• CVE-2025-5742

• CVE-2025-5741

• CVE-2025-5740

Affected Vendors

Affected Products

• Schneider Electric Modicon Controllers M241/M251 5.3.12.51
• Schneider Electric Modicon Controllers M262 5.3.9.18
• Schneider Electric EVLink WallBox

Remediation

Refer to Schneider Electric Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2025-3898

CVE-2025-5743

CVE-2025-5742

CVE-2025-5741

CVE-2025-5740