A critical heap-based buffer overflow vulnerability in WOLFBOX Level 2 EV Chargers allows unauthenticated attackers to execute arbitrary code.

The vulnerability exists within the tuya_svc_devos_activate_result_parse function, where improper length validation leads to a heap-based buffer overflow. This flaw allows a network-adjacent, unauthenticated attacker to inject malicious payloads and execute arbitrary code on the device.

With a CVSS score of 8.8, this vulnerability poses a significant risk to operational integrity. Successful exploitation could grant an attacker full control over the charging unit, potentially leading to unauthorized system access, denial of service, or the use of the device as a pivot point for further attacks on the internal network.

Immediate Action: Consult the vendor advisory at https://www.zerodayinitiative.com/advisories/ZDI-25-329/ to identify available firmware updates and apply them immediately.

Proactive Monitoring: Monitor network traffic for anomalous packets directed at the charging unit, particularly those targeting the Tuya service activation parameters.

Compensating Controls: Isolate affected EV chargers on a restricted VLAN to minimize exposure to untrusted network segments until patches are applied.

Public Exploit Available: false

Given the high CVSS score and the ability for unauthenticated remote code execution, this vulnerability represents a severe threat. Administrators should prioritize the deployment of firmware patches as soon as they are made available by the vendor to prevent potential device compromise.