Skip to content
.ca
sign in
4 minmedium

ABB Terra AC

ABB Terra AC wallbox EV chargers are affected by a heap-based buffer overflow vulnerability (CVE-2025-5517, CVSS 6.8) due to improper length validation of OCPP fields. An attacker who hijacks the OCPP backend or intercepts unencrypted HTTP traffic can send crafted messages to execute arbitrary code, alter firmware, or cause a denial of service.

Conf:highAnalyzed:2026-05-26Google

Authors: CISA, ABB PSIRT

ICSCVE-2025-5517Terra ACOCPPABB

Source:CISA

IOCs · 1

Detection / HunterGoogle

What Happened

ABB Terra AC electric vehicle chargers have a security flaw that could allow hackers to take control of the devices. This affects various models of the Terra AC wallbox running older software. If exploited, attackers could change how the charger works, shut it down, or run malicious commands. Organizations using these chargers should update the firmware immediately and ensure they are using secure, encrypted connections (HTTPS) to manage them.

Key Takeaways

  • ABB Terra AC wallbox chargers are vulnerable to a heap-based buffer overflow (CVE-2025-5517).
  • Exploitation occurs via specially crafted OCPP messages, potentially leading to DoS, firmware alteration, or Remote Code Execution (RCE).
  • Attackers must hijack the CSMS (OCPP backend) or exploit unencrypted HTTP communications to deliver the payload.
  • Firmware updates (versions 1.8.33 and 1.8.34) are available to patch the vulnerability.
  • Organizations are strongly advised to enforce HTTPS (TLS) for all charger-to-backend communications.

Affected Systems

  • ABB Terra AC wallbox (UL40/80A) <=1.8.32
  • ABB Terra AC wallbox (UL32A) <=1.8.2
  • ABB Terra AC wallbox (MID/ CE) <=1.8.32
  • ABB Terra AC wallbox (JP) <=1.8.2

Vulnerabilities (CVEs)

  • CVE-2025-5517

Attack Chain

An attacker first compromises the Charging Station Management System (CSMS) or intercepts unencrypted HTTP traffic between the charger and the backend. The attacker then sends a specially crafted Open Charge Point Protocol (OCPP) message with an oversized field to the vulnerable ABB Terra AC charger. The charger's firmware fails to validate the field length, triggering a heap-based buffer overflow. This memory corruption allows the attacker to alter firmware behavior, cause a denial-of-service, or achieve remote code execution.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — EDR agents cannot be installed on embedded EV charger firmware (ABB Terra AC). Network Visibility: Medium — Network sensors can monitor OCPP traffic, but visibility into the payload requires TLS decryption if HTTPS is properly implemented. Detection Difficulty: Hard — Detecting crafted OCPP messages requires deep packet inspection of the OCPP protocol and understanding of normal field lengths, which is difficult if traffic is encrypted.

Required Log Sources

  • Network IDS/IPS
  • CSMS Application Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
If you have visibility into unencrypted OCPP traffic, consider hunting for abnormally large field lengths in OCPP messages sent from the CSMS to the chargers.Network IDS/IPSExploitationLow
Consider monitoring CSMS application logs for unauthorized access or unusual API calls that could indicate backend hijacking.Application LogsInitial AccessMedium

Control Gaps

  • Lack of endpoint telemetry on embedded ICS devices
  • Unencrypted HTTP communication (if not configured for HTTPS)

Key Behavioral Indicators

  • Abnormally large OCPP message fields
  • Unexpected reboots or offline status of EV chargers

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Apply the vendor-provided firmware updates (1.8.33 or 1.8.34 depending on the model) to all affected ABB Terra AC wallboxes.
  • Ensure all communication between the chargers and the OCPP backend (CSMS) is configured to use HTTPS (TLS) rather than unencrypted HTTP.

Infrastructure Hardening

  • Isolate EV charging infrastructure and CSMS servers on dedicated network segments behind firewalls.
  • Implement strict access controls and monitoring on the Charging Station Management System (CSMS) to prevent unauthorized backend access.

User Protection

  • N/A

Security Awareness

  • N/A

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1499 - Endpoint Denial of Service

Related