Skip to main content

Mennekes Amtron CVE-2026-8979

| EUVDEUVD-2026-32896 CRITICAL
Improper Authentication (CWE-287)
2026-05-28 office@cyberdanube.com GHSA-m7v3-p7g2-xh6x
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 14:30 vuln.today

DescriptionCVE.org

The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint.

AnalysisAI

Unauthenticated password reset in Mennekes Amtron EV charging stations running firmware 5.22.3 and earlier allows remote attackers to seize the operator account by sending a crafted POST to /operator/operator. CVSS 4.0 of 9.3 with PR:N/UI:N and CWE-287 reflects a complete authentication bypass, and the CVSS exploit maturity flag (E:P) plus the cyberdanube research disclosure indicate publicly available exploit code exists, though the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Mennekes Amtron is a family of AC wallbox EV chargers that expose a web-based operator interface for configuration, OCPP backend setup, and load management. The flaw is rooted in CWE-287 (Improper Authentication): the /operator/operator endpoint accepts password-change requests without first validating the requester's session or credentials, so the server-side authorization check that should gate operator-account modification is either missing or improperly enforced. Because the operator account is the highest-privilege local identity on the charger's management interface, owning it grants full administrative control over charging policies, network/OCPP configuration, and firmware management on the affected device.

RemediationAI

No vendor-released patch identified at time of analysis - operators should contact Mennekes support directly to obtain a firmware build newer than 5.22.3 and monitor https://cyberdanube.com/security-research/multiple-vulnerabilities-in-mennekes-amtron-series/ for coordinated disclosure updates. Until a fixed firmware is installed, isolate the charger's management interface from the internet and from general user VLANs by placing it on a dedicated OT/management network reachable only from administrative jump hosts; this prevents reach to /operator/operator from untrusted sources but will break any remote-management workflows that depended on direct exposure. Block inbound HTTP/HTTPS to the charger at the perimeter firewall and disable any UPnP or port-forwarding rules that publish the management UI; if the device supports it, enable client-certificate or VPN-only access to the operator interface, accepting the operational overhead of certificate distribution. Rotate the operator password after upgrading, since a pre-patch compromise may have already silently reset it.

Share

CVE-2026-8979 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy