An authentication bypass vulnerability in WOLFBOX Level 2 EV Chargers due to uninitialized BLE encryption keys poses a significant risk of unauthorized access.

The vulnerability stems from uninitialized BLE encryption keys, which allows a network-adjacent attacker to bypass authentication mechanisms. This flaw does not require user interaction or valid credentials to successfully gain unauthorized access.

The CVSS score of 8.8 underscores the severity of this authentication bypass. An attacker gaining unauthorized control over an EV charger could manipulate charging parameters or potentially access sensitive device configurations, leading to unauthorized service usage or device instability.

Immediate Action: Update the WOLFBOX Level 2 EV Charger firmware to a version beyond 3.1.17 as specified in the vendor advisory at https://www.zerodayinitiative.com/advisories/ZDI-25-328/.

Proactive Monitoring: Regularly review device access logs for unauthorized connection attempts, specifically those originating from Bluetooth-enabled devices.

Compensating Controls: Disable Bluetooth interfaces on the charging units if they are not required for operational functionality.

Public Exploit Available: false

Authentication bypass vulnerabilities are high-priority targets for attackers. Organizations should ensure that firmware updates are tested and deployed immediately to remediate this flaw and restrict unauthorized access to the charging infrastructure.