#VU107939 Exposure of Sensitive System Information to an Unauthorized Control Sphere in Vestel products - CVE-2025-3606

Cybersecurity Help s.r.o.

Published: 2025-04-25

Vulnerability identifier: #VU107939

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-3606

CWE-ID: CWE-497

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
AC Charger EVC04-AC SW
Hardware solutions / Firmware
AC Charger EVC04-AC SWL
Hardware solutions / Firmware
AC Charger EVC04-AC SL
Hardware solutions / Firmware
AC Charger EVC04-AC S
Hardware solutions / Firmware

Vendor: Vestel

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to exposure of sensitive system information to an unauthorized control sphere. A remote attacker can gain access to files containing sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

AC Charger EVC04-AC SW: 3.75.0

AC Charger EVC04-AC SWL: 3.75.0

AC Charger EVC04-AC SL: 3.75.0

AC Charger EVC04-AC S: 3.75.0

External links
https://firebasestorage.googleapis.com/v0/b/vestel-shield.firebasestorage.app/o/PRODUCTION%2F1%2FVSA-1_R2.pdf?alt=media&token=8201f299-5014-4720-9200-f1b335736ac1
https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-03

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Vestel AC Charger EVC04