Skip to main content
CybersecurityInfrastructure

Siemens VersiCharge AC Series EV Chargers

Siemens VersiCharge AC Series EV Chargers

Siemens VersiCharge EV Chargers: Navigating Cybersecurity Vulnerabilities in the Age of Electrification

In a world racing toward electrification, even the promise of cleaner energy is not immune to the shadow of cybersecurity threats. Recent advisories have spotlighted serious vulnerabilities within Siemens VersiCharge AC Series electric vehicle chargers. With electric vehicles (EVs) transforming transportation, the integrity of their charging infrastructure is under renewed scrutiny, as both operators and regulators grapple with the intersection of innovation and risk.

On January 10, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it would no longer update Industrial Control System (ICS) security advisories for Siemens product vulnerabilities beyond the initial alerts. This shift underscores a growing concern: critical infrastructure and commercial systems are increasingly exposed to sophisticated cyber-attacks. The Siemens advisory, which outlines two major vulnerabilities affecting the VersiCharge AC Series and related products, offers a stark reminder that as new technology drives progress, it can simultaneously open up new avenues of exploitation.

A key fact that anchors this narrative is the dual nature of the vulnerabilities identified. One vulnerability relates to a missing immutable root of trust in the hardware, potentially allowing an attacker with physical access to execute arbitrary code by exploiting the device’s firmware. The second vulnerability, stemming from an insecure default setting in the initialization of resources, enables malicious actors on the same network to potentially take remote control of the EV charger through the default-enabled Modbus service. Both vulnerabilities illustrate the tensions between usability and security in interconnected critical infrastructures.

Historically, industrial control systems were designed prioritizing reliability and efficiency over security. As the energy market has evolved – spurred by growing demand and technological innovation – systems originally engineered with minimal security considerations have become gateways for increasingly targeted cyber intrusions. Siemens, a global leader headquartered in Germany, has long been a major provider of industrial systems, and its VersiCharge AC Series chargers are a quintessential example of technology that has matured alongside the electric vehicle revolution.

At the heart of this advisory are two Common Vulnerabilities and Exposures (CVE) entries: CVE-2025-31929 and CVE-2025-31930. The first, CVE-2025-31929, denotes the missing immutable root of trust in the M0 hardware, resulting in a potential for code manipulation if an attacker can physically access the device. Though it has a lower CVSS v3.1 base score of 4.2 (and 4.1 under the CVSS v4 framework), its implications in environments where physical security is relaxed remain significant. The second vulnerability, CVE-2025-31930, associated with the initialization of a resource using an insecure default, carries more immediate concern due to its ease of remote exploitation over a network with minimal attack complexity – a fact reflected in its high CVSS scores (8.8 under version 3.1 and 8.7 under version 4.0).

The situation is further compounded by the extensive list of affected Siemens products. Ranging from IEC and UL Commercial products to various configurations of parent and child sockets, cables, and even cellular-equipped chargers, the advisory paints a picture of a vulnerability spanning multiple product lines. In total, dozens of specific models – such as the Siemens IEC 1Ph 7.4kW Parent socket and the VersiCharge Blue™ 80A AC Cellular charger – are implicated. This broad scope signals both the ubiquity of the vulnerability across Siemens’ offerings and the critical need for end-users to stay vigilant about applying mitigations and updates promptly.

From a technical standpoint, the advisory provides granular insights. The root of the first vulnerability lies in the absence of an immutable root of trust within the M0 hardware. In digital security, such a root of trust is meant to act as an unalterable foundation that verifies every subsequent layer of code – essentially the baseline from which system integrity is derived. Without it, the device’s firmware becomes a veritable playground for attackers with physical proximity.

The second vulnerability poses a different threat vector. By enabling a Modbus service by default – a protocol widely adopted in industrial automation – the system inadvertently opens up an avenue for unauthorized remote control. This insecure default serves as a stark reminder that convenience features built into critical infrastructure devices can inadvertently reduce resilience against cyber threats. For adversaries operating on the same local network, this vulnerability offers a low attack complexity route to execute arbitrary code and manipulate EV charging functionality, potentially disrupting the charging process during sensitive operational windows.

Both vulnerabilities have substantial implications for industries and municipalities alike. As governments globally push for greater EV adoption, and as crowded urban centers rapidly integrate EV charging stations into their infrastructures, the reliability and security of these systems become central to public trust and safety. The exploitation of these vulnerabilities could compromise not only the financial and operational aspects of EV charging networks but also the broader perception of the safety and security of public infrastructure.

Experts from both the cybersecurity and energy sectors have taken note. Alex Stamos, former Chief Security Officer at Facebook and a well-respected voice in cybersecurity, has often emphasized that “critical infrastructure must be treated as a high-value target” – a statement that resonates with the current context of Siemens’ vulnerability disclosures. Similarly, representatives from Siemens have been transparent about the technical details and provided a comprehensive list of mitigations aimed at reducing the risk of exploitation. These recommendations include isolating devices behind firewalls, using Virtual Private Networks (VPNs) for remote access, and applying rigorous network segmentation to minimize exposure.

From a policy standpoint, the evolving threat landscape demands that organizations reassess their internal risk management and cybersecurity protocols. CISA’s advisories and recommended practices, including guidance on ICS security from industrial control system experts, stress that before deploying defensive measures, a thorough impact analysis and risk assessment should be conducted. With Siemens urging customers to update devices to version V2.135 or later, and with recommendations to follow operational guidelines as offered on the Siemens industrial security webpage, both public and private entities face a timely challenge: ensuring that strategies for digital defense are as robust as those for physical security.

The technical details underlying these vulnerabilities are sobering in their breadth. Siemens’ release includes a lengthy catalog of affected products, each identified by unique model numbers – a testament to the complexity of modern EV charging infrastructure. For every unit that faces potential exploitation, there lies an operational imperative: to update, secure, and monitor. The advisories also note that until a fix is broadly implemented, devices such as the VersiCharge Blue™ 80A AC Cellular charger will receive only over-the-air (OTA) updates if fully commissioned and connected to Siemens Device Management. For many operators, this means a careful balance between operational continuity and the urgent need to upgrade security protocols.

In the spirit of comprehensive mitigation, Siemens has also offered general security measures. These include:

  • Network Exposure Reduction: Operators are urged to minimize the exposure of control systems to the public internet, thereby reducing the effective attack surface.
  • Isolation Strategies: Placing control system networks behind robust firewalls and segregating them from business networks can dramatically lower the risk of unauthorized access.
  • Secure Remote Access: For environments where remote access is essential, the use of VPNs – though not infallible – is recommended as a more secure alternative compared to open connections.

These measures, while effective, are part of a broader ecosystem of recommended practices. CISA also offers guidelines focused on proactive defense, such as its “Defense-in-Depth” strategies, which underscore the importance of layered security measures. In essence, while the Siemens advisory zeroes in on specific hardware and software vulnerabilities, it also serves as a microcosm of the larger challenges facing modern critical infrastructures.

What, then, does the future hold? As the industry works through these vulnerabilities, there is a clear imperative to evolve beyond traditional security paradigms. The rapid pace of technological innovation in industrial control systems means that vendors and operators alike must recalibrate their security frameworks. In response, Siemens has committed to supporting customers with ongoing security updates and recommendations, a stance echoed by CISA’s call for industry vigilance in the face of potential exploitation. As new OTA updates roll out to devices when conditions allow, the hope is that the risks can be substantially mitigated without necessitating a complete overhaul of existing hardware.

Looking ahead, the challenge for enterprises and municipalities will be to maintain a delicate balance between embracing technological advancements and ensuring cybersecurity resilience. With electric vehicles increasingly becoming a fixture on our roads, the supporting charging infrastructure must be robust enough to withstand targeted cyber threats. For cybersecurity practitioners, the Siemens case reinforces the need for comprehensive, cross-disciplinary strategies that consider hardware design, software integrity, and operational oversight in equal measure.

The Siemens advisory, with its detailed technical analysis and bundled mitigations, is as much a cautionary tale as it is a call to action. The incident encourages all stakeholders – from cybersecurity experts and policy makers to industrial operators – to reexamine their security postures. In an era defined by rapid technological displacement and heightened interconnectivity, the human element remains central to defense: trust in technology must be earned through transparency, rigorous testing, and an unwavering commitment to securing the infrastructures that power our daily lives.

As organizations work to implement Siemens’ recommendations and CISA’s guidance on industrial control systems, a broader question emerges: How can society ensure that the march toward green energy does not inadvertently open new doors to cyber threats? The answer may lie in a collaborative approach that bridges industry insights, governmental oversight, and global cybersecurity expertise. Only by acknowledging both the innovative promise of technologies like Siemens VersiCharge and the security challenges they pose can we hope to create a safe, sustainable future in which progress is not overshadowed by vulnerability.

In the final analysis, the Siemens advisory is a vivid reminder that no system is impervious. The path ahead requires continuous vigilance, proactive defense, and a healthy dose of skepticism toward convenience features that may compromise security. As the electric vehicle revolution accelerates, the integrity of every link in its supporting infrastructure must be safeguarded with the dedication of seasoned professionals and the clarity of truth that our increasingly connected world demands.