ABB Terra AC Wallbox

What Happened

ABB Terra AC Wallbox electric vehicle chargers (specifically the Japan variants running version 1.8.33 and older) contain software flaws that could allow an attacker to take control of the device. To exploit these flaws, an attacker would first need to hijack the charger's Bluetooth connection. If successful, they could alter the charger's internal software. This matters because compromised chargers could malfunction or be used maliciously. Users and administrators should update their devices to firmware version 1.8.36 as soon as possible.

Key Takeaways

• ABB Terra AC Wallbox (JP) versions 1.8.33 and prior contain multiple buffer overflow vulnerabilities.
• Exploitation requires an attacker to first hijack the encrypted Bluetooth connection to the charger.
• Successful exploitation allows memory pollution, potentially leading to firmware alteration and remote control of the device.
• ABB has released firmware version 1.8.36 to remediate these vulnerabilities.

Affected Systems

• ABB Terra AC wallbox (JP) versions 1.8.33 and prior

Vulnerabilities (CVEs)

• CVE-2025-10504
• CVE-2025-12142
• CVE-2025-12143

Attack Chain

An attacker first targets the Bluetooth connection of the ABB Terra AC Wallbox to hijack the communication channel. Once hijacked, the attacker sends specially crafted messages with unexpected field lengths or bin file sizes via a self-defined protocol or customized OCPP key. These messages trigger heap, stack, or BSS memory buffer overflows. The memory pollution allows the attacker to execute write operations to the flash memory, ultimately altering firmware behavior and gaining remote control of the product.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — EDR agents cannot be installed on embedded ICS devices like EV chargers. Network Visibility: Low — The primary attack vector involves encrypted Bluetooth communications, which are out-of-band for standard network monitoring tools. Detection Difficulty: Very Hard — Exploitation occurs over encrypted Bluetooth directly to an embedded ICS device with limited logging capabilities.

Required Log Sources

• OCPP application logs
• Device management console logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
If you have visibility into OCPP backend logs, consider hunting for anomalous 'Ran-domDelay' key configurations or unexpected field lengths.	OCPP application logs	Execution	Low

Control Gaps

• Lack of endpoint visibility on embedded ICS devices
• Inability to inspect encrypted Bluetooth traffic

Key Behavioral Indicators

• Anomalous Bluetooth pairing requests or connections
• Unexpected firmware modification alerts from the device management console

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Update ABB Terra AC wallbox (JP) devices to firmware version 1.8.36 at the earliest convenience.

Infrastructure Hardening

• Minimize network exposure for all control system devices and ensure they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolate them from business networks.
• If remote access is required, consider using secure methods such as updated Virtual Private Networks (VPNs).

User Protection

• Consider implementing physical security measures around EV chargers to prevent unauthorized proximity-based Bluetooth attacks.

Security Awareness

• Educate facility managers on the risks of unauthorized physical or Bluetooth access to EV charging infrastructure.

MITRE ATT&CK Mapping

• T1210 - Exploitation of Remote Services
• T1542.001 - System Firmware