Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.
AnalysisAI
Unauthorized firmware installation in the XCharge C6 charging controller stems from missing cryptographic signature verification in its management-channel update mechanism, enabling remote attackers who can interpose on or impersonate the management interface to push malicious firmware. Successful exploitation yields high-privilege code execution on the EV charging device, and the issue is tracked in CISA ICS advisory ICSA-26-148-08 with no public exploit identified at time of analysis.
Technical ContextAI
The XCharge C6 is an EV charging controller whose firmware update routine, exposed through its device management interface, accepts firmware packages without validating an authenticity signature - the textbook CWE-494 (Download of Code Without Integrity Check) failure mode. In properly designed embedded update systems, the bootloader or update agent verifies a vendor-signed manifest or image against a baked-in public key before flashing; here that step is absent, so any payload that conforms to the expected package format is accepted as authoritative. The CPE cpe:2.3:a:xcharge:c6 narrows the affected scope to XCharge's C6 product line, and the ICS-CERT reporting channel indicates this was disclosed through coordinated industrial-control-system disclosure rather than independent research.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied data; defenders should consult CISA advisory ICSA-26-148-08 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 for XCharge's official fixed firmware version and apply it as soon as it is published. Until a signed-firmware-capable build is available, restrict the C6 management interface to a dedicated management VLAN reachable only from an administrative jump host, block the management port at perimeter and inter-segment firewalls, and enforce mutual TLS or VPN access to any operator workstation that talks to the charger - accepting that this will break ad-hoc field-tech access and any cloud-management integration that relied on direct reachability. Monitor the device for unexpected firmware-version changes or reboots, and disable remote firmware update functionality entirely if the vendor exposes a toggle, recognizing this also blocks legitimate over-the-air updates.
Stack-based buffer overflow in the XCharge C6 charging controller's signal-processing logic enables an attacker with phy
Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a
Same weakness CWE-494 – Download of Code Without Integrity Check
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33002
GHSA-6qw7-34qq-r69v