Skip to main content

XCharge C6 CVE-2026-9037

| EUVDEUVD-2026-33002 CRITICAL
Download of Code Without Integrity Check (CWE-494)
2026-05-28 icscert GHSA-6qw7-34qq-r69v
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 28, 2026 - 20:23 vuln.today
CVSS changed
May 28, 2026 - 20:22 NVD
9.3 (CRITICAL)

DescriptionCVE.org

A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.

AnalysisAI

Unauthorized firmware installation in the XCharge C6 charging controller stems from missing cryptographic signature verification in its management-channel update mechanism, enabling remote attackers who can interpose on or impersonate the management interface to push malicious firmware. Successful exploitation yields high-privilege code execution on the EV charging device, and the issue is tracked in CISA ICS advisory ICSA-26-148-08 with no public exploit identified at time of analysis.

Technical ContextAI

The XCharge C6 is an EV charging controller whose firmware update routine, exposed through its device management interface, accepts firmware packages without validating an authenticity signature - the textbook CWE-494 (Download of Code Without Integrity Check) failure mode. In properly designed embedded update systems, the bootloader or update agent verifies a vendor-signed manifest or image against a baked-in public key before flashing; here that step is absent, so any payload that conforms to the expected package format is accepted as authoritative. The CPE cpe:2.3:a:xcharge:c6 narrows the affected scope to XCharge's C6 product line, and the ICS-CERT reporting channel indicates this was disclosed through coordinated industrial-control-system disclosure rather than independent research.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied data; defenders should consult CISA advisory ICSA-26-148-08 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 for XCharge's official fixed firmware version and apply it as soon as it is published. Until a signed-firmware-capable build is available, restrict the C6 management interface to a dedicated management VLAN reachable only from an administrative jump host, block the management port at perimeter and inter-segment firewalls, and enforce mutual TLS or VPN access to any operator workstation that talks to the charger - accepting that this will break ad-hoc field-tech access and any cloud-management integration that relied on direct reachability. Monitor the device for unexpected firmware-version changes or reboots, and disable remote firmware update functionality entirely if the vendor exposes a toggle, recognizing this also blocks legitimate over-the-air updates.

Share

CVE-2026-9037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy