// 2 ZERO-DAY · 2 CVE · 3 EXPLOIT IN THE LAST 24H
Critical vulnerability in Autel MaxiCharger AC Elite Home: integer underflow in OCPP protocol enables unauthenticated remote code execution.

On July 15, 2026, the Trend Micro Zero Day Initiative published advisory ZDI-26-437, documenting a remote code execution vulnerability in Autel MaxiCharger AC Elite Home residential chargers. The flaw, demonstrated at the Pwn2Own security contest, exploits an integer underflow in the parsing of OCPP service WebSocket messages and requires no authentication, expanding the attack surface from the charging infrastructure to the user's home network.

Key Takeaways
  • Vulnerability ZDI-26-437 (CVE-2026-13308, CVSS 8.1) enables unauthenticated arbitrary remote code execution on Autel MaxiCharger AC Elite Home chargers.
  • The technical mechanism is an integer underflow in buffer allocation during parsing of OCPP service WebSocket messages, caused by insufficient validation of attacker-controlled data.
  • The flaw was reported to the vendor on March 19, 2026; coordinated release occurred approximately four months later, on July 15, 2026.
  • No confirmation of in-the-wild exploitation beyond the Pwn2Own demonstration; the source does not specify the availability of a vendor-specific patch or affected or fixed firmware versions.

The OCPP Protocol as Attack Surface

The Open Charge Point Protocol is the de facto standard for communication between EV charging stations and centralized management systems. Its widespread adoption, which ensures interoperability, simultaneously makes it an attractive target: a single parser flaw can propagate across entire device fleets. In the case of ZDI-26-437, the exposed surface is not a REST API or a management panel, but the WebSocket channel itself, typically kept open for continuous data exchange between the charger and the operator's backend.

The ZDI advisory specifies that the vulnerability resides in the handling of WebSocket messages "related to the OCPP service." This detail is significant because it places the flaw in the core business logic of the device, not in an ancillary service. The integer underflow occurs before buffer allocation, when attacker-controlled data undergoes insufficient validation. The result is memory corruption that enables code execution in the context of the embedded system.

Why Pre-Auth Changes the Equation

The absence of authentication requirements for exploitation is the factor that elevates operational risk. An Internet-connected home charger, or even one reachable from the local network via compromise of other devices, presents an attack surface with no entry barriers. In this scenario, the home network no longer functions as a defensive perimeter: the energy IoT device becomes a potential pivot for lateral movement.

"This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Home EV chargers. Authentication is not required to exploit this vulnerability." — ZDI Advisory ZDI-26-437

The CVSS 8.1 score assigned by ZDI for CVE-2026-13308 places the vulnerability in the "High" severity range. The source does not provide the full CVSS vector, so it is not possible to infer the network access or attack complexity metrics beyond what is stated. What emerges with certainty is the combination of maximum impact (code execution) and ease of access (no authentication).

Coordinated Disclosure and Missing Data

The timeline documented by ZDI shows an interval of approximately four months between the private vendor report and public release: March 19, 2026 for the private report, July 15, 2026 for coordinated publication. This window is consistent with standard disclosure timelines, but the dossier does not clarify whether Autel released firmware updates in the interim or whether the advisory accompanies the availability of a patch.

On this point, the dossier's limits are explicit: no public vendor advisory appears in the available data, nor is a firmware version indicated as corrective. The CVE-2026-13308 record, confirmed by official assignment but still in "reserved" status according to cve.org, has not yet populated technical details. For charging network operators and home installation owners, this creates an operational void: there is no "safe" version identifier to verify on their devices.

Why It Matters

The dossier does not specify corrective measures adopted by the vendor nor technical recommendations for mitigation. No indications on automatic updates, firmware distribution channels, or procedures to verify the installed version. The source also does not document whether Autel has activated communication channels with its installed base to notify them of the vulnerability.

The Pwn2Own context, in which the flaw was demonstrated, validates the technical reproducibility of the exploit but provides no evidence of malicious use outside the lab. The distinction is relevant for risk assessment: a proof-of-concept does not equal an active threat, but pre-authentication drastically lowers the threshold for potential replication. The rapidly expanding electric mobility sector is inheriting the same security challenges that have traversed more mature IoT sectors, with the aggravating factor of physical infrastructure connected to the power grid.

Questions and Answers

Are Autel chargers the only devices with this flaw?

Advisory ZDI-26-437 explicitly identifies the Autel MaxiCharger AC Elite Home model. The dossier does not extend confirmation to other vendor products nor to OCPP implementations by other manufacturers. A generalization would not be supported by the available data.

Is there an applicable patch?

The availability of a specific firmware update released by Autel is not documented in the dossier data. The CVE record is in "reserved" status and does not report information on fixed versions.

What is the concrete risk for a home user?

A compromised charger expands the home network's attack surface. The dossier documents code execution in the device context; it does not specify subsequent propagation vectors, but network logic makes lateral movement toward other home systems plausible.

Sources

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. zerodayinitiative.com
  2. cve.org
  3. trendmicro.com