(Pwn2Own) Autel MaxiCharger AC Elite Home Software Update Improper Verification of Cryptographic Signature Arbitrary Code Execution Vulnerability
Vulnerability Details
This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Home EV chargers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of software updates. The issue results from the lack of proper validation of a user-supplied software update image. An attacker can leverage this vulnerability to execute code in the context of the device.
Additional Details
Fixed in firmware version V1.40.81
Disclosure Timeline
- 2026-03-19 - Vulnerability reported to vendor
- 2026-07-15 - Coordinated public release of advisory
- 2026-07-15 - Advisory Updated
Credit
Tobias Scharnowski (@ScepticCtf), Felix Buchmann, and Kristian Covic of Fuzzware.io