Skip to main content

Mennekes Amtron CVE-2026-8980

| EUVDEUVD-2026-32897 CRITICAL
Improper Privilege Management (CWE-269)
2026-05-28 office@cyberdanube.com GHSA-x43w-f99f-mhc7
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 14:30 vuln.today

DescriptionCVE.org

The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin (operator) and manufacturer accounts via crafted POST requests.

AnalysisAI

Privilege escalation in Mennekes Amtron EV charging stations (firmware ≤ 5.22.3) allows a low-privileged authenticated user to overwrite credentials for the admin (operator) and manufacturer accounts through crafted POST requests, effectively granting full takeover of the charger's management interface. Publicly available exploit code exists per the CyberDanube research advisory, and the CVSS 4.0 base score of 9.3 reflects high impact across confidentiality, integrity, and availability with cascading effects on subsequent systems. Not currently listed in CISA KEV.

Technical ContextAI

The Mennekes Amtron series is a family of networked AC wallbox EV chargers that expose a web-based management interface for operators (administrators) and the manufacturer. The flaw is classified as CWE-269 (Improper Privilege Management), meaning the password-change endpoint fails to enforce that the requester possesses sufficient privilege over the target account; instead, any authenticated session can submit a POST request that rewrites the admin or manufacturer password. This is a classic horizontal/vertical privilege boundary failure in the authorization layer rather than an authentication bypass - the application authenticates the caller but does not verify the caller's role against the privilege level of the account being modified.

RemediationAI

No vendor-released patch identified at time of analysis; the only public reference is the CyberDanube research write-up at https://cyberdanube.com/security-research/multiple-vulnerabilities-in-mennekes-amtron-series/, which operators should monitor alongside Mennekes' own advisories for a firmware build above 5.22.3. Until a fix is published, compensating controls include removing the charger's management interface from any internet-routable network and placing it behind a VPN or jump host, restricting issuance of low-privileged web accounts to a minimum trusted set and rotating their credentials, and monitoring HTTP POST traffic to password-change endpoints for anomalous source accounts (trade-off: network restrictions may complicate remote operator workflows and OCPP-related troubleshooting). Disabling or removing the low-privileged role entirely is the strongest mitigation but will break any operational workflow that depends on it.

Share

CVE-2026-8980 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy