Vendor description
“Compleo charging technology provides the interface between mobility and a decentralised energy world. With us, electric driving becomes the simplest and most natural mode of sustainable transport. At Compleo, genuine electric mobility enthusiasts develop the necessary charging hardware and software.
Source: https://www.compleo-charging.com/en/company/about-us
Vulnerable Products
Compleo eTower / 6.14.3_20250617
Compleo SOLO / 6.14.3_20250617
Compleo DUO / 6.14.3_20250617
Vulnerability overview
1) Unencrypted Memory (CVE-2026-10790)
The content of the eMMC chip on the iMX7 is unencrypted. This allows a physical attacker to extract the firmware of the device.
2) Open Recovery Mode (CVE-2026-10791)
The iMX7 module of the device can be forced into recovery mode. This allows a physical attacker to execute arbitrary code in RAM by short-circuiting two pins on the chip.
3) SSH Key Backdoor (CVE-2026-10793)
The ‘.authorized_keys’ file includes a cert-authority which allows the manufacturer or an attacker with a stolen key to access the device as root via ssh.
4) Authenticated SSH Key Injection (CVE-2026-10794)
The web application is vulnerable to a ssh key injection. An authenticated attacker can exploit this issue to gain root access on the device via ssh.
Proof of Concept
1) Unencrypted Memory (CVE-2026-10790)
The eMMC chip was unsoldered and and attached to a memory reader to extract the flash content. The chip can also be directly mounted via an eMMC to SD-card adapter.
2)Authenticated Denial-of-Service (CVE-2026-29116)
The processor module (Toradex Colibri iMX7) can be put in recovery mode according to the manual (page 7) of Toradex:
https://docs.toradex.com/103125-colibri-arm-som-imx7-datasheet.pdf This enables an attacker to boot an own operating system and modify or extract data from the operating system of the device.
3) SSH Key Backdoor (CVE-2026-10793)
The cert-authority is shown in the .authorized_keys file.
cert-authority ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIF+eErW1WlfJIpXlTY1qYZWUfcdmWoiYcy7owDOl3qW7
compleo-swdev-c
4) Authenticated SSH Key Injection (CVE-2026-10794)
The following two PUT requests can be used to inject an arbitrary ssh key. The newlines bypass the command restriction.
PUT /api/config/LoadManager/Master/ HTTP/2
Host: 192.168.1.100
Content-Length: 150
X-Token: FF304CB21223739888B699B829B585BD
Content-Type: application/json
Referer: https://192.168.1.100/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
{"Master":{"Slaves":[{"Id":0,"Elements":{"Key":"ssh-ed25519 \nssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIHxOEYF2mwTrKiMZDdq8on6zJHaiUDTGemez6alnPbdC\n"
}}]}}
Solution
Update to version 6.15.0 or later to solve the issues.
Workaround
Restrict network and physical access to the device.
Technology Used
The vulnerabilities were manually verified on an emulated device by using “MEDUSA scalable firmware runtime” (www.medusa.re).
Vendor Advisory
https://www.compleo-charging.com/produkte/document-center/security-advisory-1
Contact Timeline
- 2026-02-24: Tried to reach vendor via multiple public available email addresses until 2025-03-09; No answer.
- 2026-03-10: Telephone call with vendor contact. Sent security advisory to vendor contact.
- 2026-03-18: Got confirmation from the vendor regarding vulnerabilities. Answered further questions from the vendor.
- 2026-04-21: Vendor asked for deadline extension by 30 days. Confirmed the extension.
- 2026-05-13: Vendor informed us that vulnerability number three will be fixed in September; Informed vendor that advisory will be splitted in this case.
- 2026-05-28: Vendor asked for CVE numbers; Provided numbers a few days later.
- 2026-06-19: Vendor informed us, that advisory is finalized.
- 2026-06-22: Vendor released advisory.
- 2026-06-25: Coordinated release of security advisory.