VYPR
advisoryPublished Jul 15, 2026· 5 sources

Autel EV Chargers Vulnerable to Remote Code Execution via WebSocket Flaw

A critical integer underflow vulnerability in Autel MaxiCharger AC Elite Home EV chargers allows unauthenticated attackers to execute arbitrary code remotely.

The Zero Day Initiative (ZDI) has disclosed a critical remote code execution vulnerability, identified as ZDI-26-437, affecting Autel MaxiCharger AC Elite Home EV chargers. This flaw, assigned a CVSS score of 8.1, allows unauthenticated attackers to compromise the devices by exploiting an integer underflow within the handling of WebSocket messages related to the OCPP service.

The vulnerability stems from insufficient validation of user-supplied data within the WebSocket communication channel. When processing these messages, the charger fails to properly validate input, leading to an integer underflow condition. This condition can be leveraged by an attacker to allocate a buffer of an incorrect size, ultimately enabling them to execute arbitrary code in the context of the device.

Exploitation does not require any form of authentication, meaning any attacker with network access to a vulnerable charger could potentially trigger the flaw. The ability to execute arbitrary code on these devices poses a significant security risk, potentially allowing attackers to disrupt charging operations, gain access to sensitive network information, or use the compromised charger as a pivot point into a local network.

Autel has addressed this vulnerability by releasing firmware version V1.40.81. Users of the Autel MaxiCharger AC Elite Home EV charger are strongly advised to update their devices to this latest firmware to mitigate the risk of exploitation. The Zero Day Initiative reported the vulnerability to the vendor on March 19, 2026, and coordinated the public release of the advisory on July 15, 2026.

This vulnerability highlights the growing security concerns surrounding the Internet of Things (IoT) and connected devices, particularly those in critical infrastructure sectors like electric vehicle charging. As more devices become connected, the attack surface expands, making robust security practices and timely patching essential.

While the specific impact on a large scale is not yet detailed, the potential for remote code execution on charging infrastructure warrants attention from both consumers and network administrators. The CVSS score of 8.1 indicates a high level of severity, emphasizing the need for prompt remediation.

This advisory serves as a reminder for manufacturers to prioritize secure coding practices and thorough security testing throughout the development lifecycle of connected devices. The ZDI's disclosure process aims to provide vendors with adequate time to develop and release patches before public disclosure, ensuring a more secure ecosystem for users.

Further technical details and mitigation strategies can be found in the official advisory from the Zero Day Initiative.

This new advisory from Zero Day Initiative details a different vulnerability affecting the Autel MaxiCharger AC Elite Home EV chargers. While the previous report focused on a remote code execution flaw via a WebSocket, this advisory describes a physical authentication bypass vulnerability (CVE-2026-13306) that requires only physical access to exploit, bypassing all authentication mechanisms through the USB interface.

This new advisory from Zero Day Initiative details a specific vulnerability, ZDI-26-433, affecting Autel MaxiCharger AC Elite Home EV chargers. The flaw, identified as CVE-2026-13305, stems from improper verification of cryptographic signatures during software updates, allowing physically present attackers to execute arbitrary code without authentication. This contrasts with the previously reported WebSocket flaw which allowed remote code execution.

This new advisory from Zero Day Initiative details a heap-based buffer overflow vulnerability, CVE-2026-13307, affecting Autel MaxiCharger AC Elite Home EV chargers. Unlike the previously reported WebSocket flaw, this vulnerability requires physical presence to exploit and allows for arbitrary code execution without authentication. The vulnerability has been fixed in firmware version V1.40.81.

This new advisory from Zero Day Initiative details a different attack vector for Autel MaxiCharger AC Elite Home EV chargers, specifically targeting the NFC interface. Unlike the previously reported WebSocket flaw which allowed remote code execution, this vulnerability requires physical presence and exploits a stack-based buffer overflow when handling crafted NFC card responses. The vulnerability is rated CVSS 6.8 and has been fixed in firmware version V1.40.81.

Synthesized by Vypr AI