Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Assuming logs are network-reachable per the source vector: unauthenticated low-complexity read (AV:N/AC:L/PR:N/UI:N) with high confidentiality and scope change (S:C) because exposed credentials/UIDs compromise other systems; no integrity or availability impact.
Primary rating from Vendor (DIVD).
CVSS VectorVendor: DIVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Various sensitive information such as passwords and charging card UIDs are written to log files.
AnalysisAI
Sensitive-data logging in the Evbee DC-80 DC EV charger writes secrets such as user passwords and charging card (RFID) UIDs in cleartext to log files, per DIVD advisory DIVD-2026-00001. The supplied CVSS 4.0 base score of 9.2 reflects high confidentiality impact to both the vulnerable system and downstream systems that reuse those credentials, so anyone able to read the logs can harvest reusable authentication material. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to obtain the Evbee DC-80's log files, which contain the sensitive data written per CWE-532; the supplied CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, unauthenticated access with no user interaction, implying the logs are exposed via a network-accessible interface on the charger. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H) rates this network-reachable, low-complexity, and unauthenticated with high confidentiality impact plus a subsequent-system confidentiality impact (SC:H) - consistent with harvested passwords/UIDs unlocking other systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the charger's log files - via an exposed management/web interface, a log-export function, or local/physical access to the device - retrieves the logs and reads plaintext user passwords and charging card UIDs. The attacker then replays those UIDs and credentials to obtain free charging, impersonate legitimate users, or pivot into any backend account that shares the exposed password. … |
| Remediation | No vendor-released patch version was identified at time of analysis; consult the DIVD advisory at https://csirt.divd.nl/DIVD-2026-00001/ for current fix status and apply the vendor's patched firmware once it is released. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, immediately restrict administrative access to DC-80 charger log files using operating system-level permissions and audit existing logs for unauthorized access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Command injection in the evbee DC-80 EV charger allows remote unauthenticated attackers to execute arbitrary operating-s
Arbitrary code execution in the EVBEE DC-80 EV charging station stems from a firmware update mechanism that ships withou
Arbitrary file write in the Evbee DC-80 EV charging station lets remote unauthenticated attackers overwrite any file on
Missing authentication on the evbee DC-80 EV charging station exposes an administrative web server on TCP port 8090 that
Remote code execution in the evbee DC-80 EV charging station is possible through a command injection flaw in the network
Bluetooth authentication bypass in the Evbee DC-80 DC EV charging station lets an attacker within radio range issue priv
OS command injection in the EVBEE DC-80 electric-vehicle DC charger lets an actor who can send OCPP messages execute arb
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43332