CISA Warns of Heap Buffer Overflow in ABB Terra AC EV Chargers Allowing Remote Firmware Takeover
CISA published an advisory for CVE-2025-5517, a heap-based buffer overflow in ABB Terra AC wallbox chargers that could let attackers remotely control the device and alter firmware via crafted OCPP messages.
CISA has issued an advisory warning of a heap-based buffer overflow vulnerability, tracked as CVE-2025-5517, affecting ABB Terra AC electric vehicle wallbox chargers. The flaw, which carries a CVSS v3.1 base score of 6.8 (MEDIUM), could allow an attacker who successfully exploits it to corrupt heap memory, potentially gaining remote control of the charger and performing write operations to flash memory to alter firmware behavior.
The vulnerability resides in the way the charger firmware handles Open Charge Point Protocol (OCPP) messages. According to the advisory, the firmware did not properly limit the length of certain OCPP fields, enabling a specially crafted message to trigger a heap-based buffer overflow. An attacker can exploit this by either hijacking the Charging Station Management System (CSMS) — the OCPP backend — or by intercepting unencrypted HTTP communication between the charger and the backend. Once the attacker has access, they can send a malicious OCPP message that corrupts memory, leading to denial of service, compromised internal state, or remote code execution.
The affected products include multiple variants of the Terra AC wallbox: UL40/80A versions up to 1.8.32, UL32A versions up to 1.8.2, MID/CE versions up to 1.8.32, and JP versions up to 1.8.2. These chargers are deployed worldwide across critical infrastructure sectors such as commercial facilities, critical manufacturing, energy, and transportation systems. ABB, headquartered in Switzerland, has released fixed firmware versions: 1.8.33 for UL40/80A and PTB variants, and 1.8.34 for UL32A, MID, CE, and JP variants.
CISA strongly recommends that customers apply the updates at the earliest convenience. In addition to patching, ABB advises operators to avoid using unencrypted HTTP for OCPP connections and instead use HTTPS with TLS as the foundational communication protocol between the charger and the OCPP backend. The advisory notes that using unsafe HTTP mode leaves the communication channel open to interception and attack, a well-known risk in the industry.
The vulnerability was discovered and reported to ABB by Itai Shmueli of Saiflow, who coordinated disclosure through Schneider Electric. At the time of the advisory's publication, ABB confirmed that the vulnerability had not been publicly disclosed and that no reports of active exploitation had been received. The fix removes the vulnerability by modifying the validation rules for data received from the OCPP backend.
This advisory is part of a broader pattern of vulnerabilities in ABB's industrial and energy-sector products. In recent weeks, CISA has also warned of a buffer over-read in ABB AC500 V2 PLCs, a missing authentication flaw in ABB Ability™ Zenon, and critical issues in ABB Ability Camera Connect due to outdated components. The recurring theme underscores the challenge of securing widely deployed operational technology devices that rely on legacy protocols and long update cycles. For operators of EV charging infrastructure, this latest advisory serves as a reminder to audit network configurations, enforce encrypted communications, and prioritize firmware updates to prevent potential remote takeover of charging stations.