Schneider Electric Security Notification EVlink Home Smart and Schneider Charge 10 October 2024 Overview Schneider Electric is aware of a vulnerability with the potential disclosure of confidential information in its EVlink Home Smart and Schneider Charge charging stations. This is not related to any of the customer personal data and potential disclosure cannot be exploited to abuse both products. This only relates to remote test equipment and test features that are removed from production units. A remediation for affected charging stations has already been deployed to all connected units. Affected Products and Versions Vulnerability Details CVE ID: CVE-2024-8070 CVSS v3.1 Base Score: 8.5 CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that exposes test credentials in the firmware binary. It is to be noted that this case does not allow any exploitation of the product as this information is related to remote test equipment and test features that are removed from the production units. Note regarding vulnerability details: The severity of vulnerabilities was calculated using the CVSS Base metrics in version 3.1 (CVSS v3.1) without incorporating the Temporal and Environmental metrics. Schneider Electric recommends that customers score the CVSS Environmental metrics, which are specific to end-user organizations, and consider factors such as the presence of mitigations in that environment. Environmental metrics may refine the relative severity posed by the vulnerabilities described in this document within a customer's environment. --- Document Reference Number: SEVD-2024-282-04 Page 1 of 4