Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network-reachable command injection (AV:N/AC:L/PR:N/UI:N) yields full OS command execution, so confidentiality, integrity, and availability are all High; scope unchanged.
Primary rating from Vendor (DIVD).
CVSS VectorVendor: DIVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The NPC start endpoint on the web server at port 8090 is vulnerable to command injection.
AnalysisAI
Command injection in the evbee DC-80 EV charger allows remote unauthenticated attackers to execute arbitrary operating-system commands via the 'NPC start' endpoint exposed on the device's web server at TCP port 8090. Reported by DIVD (Dutch Institute for Vulnerability Disclosure), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable vector (AV:N/PR:N/UI:N) and high impact to confidentiality, integrity, and availability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the evbee DC-80's web server on TCP port 8090 and the ability to send a request to the 'NPC start' endpoint - no authentication, no user interaction, and no special non-default configuration are indicated (PR:N/UI:N/AC:L/AT:N), so default-configured, network-reachable devices are exploitable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals align toward high real-world risk for exposed devices: the CVSS 4.0 vector indicates network attack vector, low complexity, no attack requirements, and no privileges or user interaction (AV:N/AC:L/AT:N/PR:N/UI:N), with high impact across VC/VI/VA - a 9.3 critical rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the charger's port 8090 sends a crafted HTTP request to the NPC start endpoint containing shell metacharacters in a parameter, causing the embedded web server to execute injected OS commands with service privileges. From there the attacker can install persistence, manipulate charging behavior, pivot into the connected network, or brick the device. … |
| Remediation | No vendor-released patch identified at time of analysis; monitor the DIVD advisory at https://csirt.divd.nl/DIVD-2026-00001/ and the evbee vendor for firmware updates and apply the fixed build as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Isolate all evbee DC-80 chargers from production networks or immediately implement firewall rules blocking all external access to TCP port 8090; document the exact count and locations of affected devices. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary code execution in the EVBEE DC-80 EV charging station stems from a firmware update mechanism that ships withou
Arbitrary file write in the Evbee DC-80 EV charging station lets remote unauthenticated attackers overwrite any file on
Missing authentication on the evbee DC-80 EV charging station exposes an administrative web server on TCP port 8090 that
Remote code execution in the evbee DC-80 EV charging station is possible through a command injection flaw in the network
Sensitive-data logging in the Evbee DC-80 DC EV charger writes secrets such as user passwords and charging card (RFID) U
Bluetooth authentication bypass in the Evbee DC-80 DC EV charging station lets an attacker within radio range issue priv
OS command injection in the EVBEE DC-80 electric-vehicle DC charger lets an actor who can send OCPP messages execute arb
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43333