Skip to main content

evbee DC-80 CVE-2026-22103

| EUVDEUVD-2026-43333 CRITICAL
Command Injection (CWE-77)
2026-07-13 DIVD
9.3
CVSS 4.0 · Vendor: DIVD
Share

Severity by source

Vendor (DIVD) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable command injection (AV:N/AC:L/PR:N/UI:N) yields full OS command execution, so confidentiality, integrity, and availability are all High; scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (DIVD).

CVSS VectorVendor: DIVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 13, 2026 - 12:01 EUVD
Analysis Generated
Jul 13, 2026 - 11:09 vuln.today
CVE Published
Jul 13, 2026 - 09:11 cve.org
CRITICAL 9.3

DescriptionCVE.org

The NPC start endpoint on the web server at port 8090 is vulnerable to command injection.

AnalysisAI

Command injection in the evbee DC-80 EV charger allows remote unauthenticated attackers to execute arbitrary operating-system commands via the 'NPC start' endpoint exposed on the device's web server at TCP port 8090. Reported by DIVD (Dutch Institute for Vulnerability Disclosure), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable vector (AV:N/PR:N/UI:N) and high impact to confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach charger web service on port 8090
Delivery
Send crafted request to NPC start endpoint
Exploit
Inject OS command via unsanitized parameter
Execution
Execute commands as web-service user
Impact
Compromise charger and pivot to network

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the evbee DC-80's web server on TCP port 8090 and the ability to send a request to the 'NPC start' endpoint - no authentication, no user interaction, and no special non-default configuration are indicated (PR:N/UI:N/AC:L/AT:N), so default-configured, network-reachable devices are exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals align toward high real-world risk for exposed devices: the CVSS 4.0 vector indicates network attack vector, low complexity, no attack requirements, and no privileges or user interaction (AV:N/AC:L/AT:N/PR:N/UI:N), with high impact across VC/VI/VA - a 9.3 critical rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the charger's port 8090 sends a crafted HTTP request to the NPC start endpoint containing shell metacharacters in a parameter, causing the embedded web server to execute injected OS commands with service privileges. From there the attacker can install persistence, manipulate charging behavior, pivot into the connected network, or brick the device. …
Remediation No vendor-released patch identified at time of analysis; monitor the DIVD advisory at https://csirt.divd.nl/DIVD-2026-00001/ and the evbee vendor for firmware updates and apply the fixed build as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Isolate all evbee DC-80 chargers from production networks or immediately implement firewall rules blocking all external access to TCP port 8090; document the exact count and locations of affected devices. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-22103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy