THE ICS Advisory for Siemens Heliox EV Chargers, released on 12 March 2026, identifies an improper access control vulnerability that could allow an attacker to reach unauthorized services via the charging cable. The affected devices are Heliox Flex 180 kW EV Charging Station and Heliox Mobile DC 40 kW EV Charging Station. The advisory lists CVSS v3.1/3.1 base score 2.6 (vector AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) and labels the vulnerability as Improper Restriction of Communication Channel to Intended Endpoints.
According to Siemens ProductCERT, Siemens has released new versions for the affected products and recommends updating to the latest versions via an OTA patch. In the meantime, CISA urges defensive measures such as minimising network exposure, isolating control system networks behind firewalls, and ensuring remote access uses secure methods like VPNs.
The advisory also provides guidance on configuring environments in line with Siemens’ Industrial Security guidelines and other best practices, with further assistance available from Siemens ProductCERT.