Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdiSynacktiv (@Synacktiv)ZDI-24-852
HistoryJun 21, 2024 - 12:00 a.m.

(Pwn2Own) Autel MaxiCharger AC Elite Business C50 BLE Hardcoded Credentials Authentication Bypass Vulnerability

2024-06-2100:00:00
Synacktiv (@Synacktiv)
www.zerodayinitiative.com
vulnerability
autel maxicharger
authentication bypass
ble
appauthenrequest command
hardcoded credentials

7.2 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

JSON

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Autel MaxiCharger AC Elite Business C50 charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the BLE AppAuthenRequest command handler. The handler uses hardcoded credentials as a fallback in case of an authentication request failure. An attacker can leverage this vulnerability to bypass authentication on the system.

7.2 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

JSON