Which versions of XCharge C6 are affected by CVE-2026-9039?

XCharge C6 EV charger firmware is vulnerable to complete administrative compromise through a vehicle-charger communication interface protected only by default credentials.

XCharge C6 CVE-2026-9039

Q: What is the CVSS score of CVE-2026-9039?

CVE-2026-9039 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-33004 HIGH

Initialization of a Resource with an Insecure Default (CWE-1188)

2026-05-28 icscert

GHSA-9w95-xvpv-cvjw

Information Disclosure C6

8.6

CVSS 4.0

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Physical

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 22:20 vuln.today

CVSS changed

May 28, 2026 - 20:22 NVD

8.6 (HIGH)

CVE Published

May 28, 2026 - 19:07 nvd

UNKNOWN (no severity yet)

DescriptionNVD

A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.

AnalysisAI

Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a remote management service exposed on the vehicle-charger signaling channel and protected only by a default administrative credential. Affecting XCharge C6 firmware versions released before May 22, 2026, the issue was disclosed via CISA ICS-CERT advisory ICSA-26-148-08 with a CVSS 4.0 score of 8.6 and no public exploit identified at time of analysis.

RemediationAI

24 hours: Identify all XCharge C6 chargers in operation and verify firmware release dates against May 22, 2026 threshold. 7 days: Restrict physical access to communication ports; isolate charger management traffic on segmented networks; change default administrative credentials if the system permits. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-9039 vulnerability details – vuln.today

Back

XCharge C6 CVE-2026-9039

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

XCharge C6 CVE-2026-9039

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code