Skip to main content

Besen BS20 CVE-2026-9394

| EUVDEUVD-2026-31548 LOW
Weak Password Requirements (CWE-521)
2026-05-24 VulDB GHSA-fj8p-hqwr-45hx
1.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.3 LOW
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 13:08 vuln.today
CVSS changed
May 26, 2026 - 20:07 NVD
3.1 (LOW) 1.3 (LOW)

DescriptionCVE.org

A vulnerability was determined in Besen BS20 EV Charging Station up to 20260426. This impacts an unknown function of the component Bluetooth Low Energy Handler. Executing a manipulation can lead to weak password requirements. The attack needs to be done within the local network. This attack is characterized by high complexity. The exploitability is said to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."

AnalysisAI

Weak password requirements in the Bluetooth Low Energy (BLE) handler of the Besen BS20 EV Charging Station (firmware up to 20260426) expose the device to credential brute-forcing from adjacent-network attackers within Bluetooth range. The flaw, catalogued under CWE-521, results in limited confidentiality impact (VC:L in CVSS 4.0) with no integrity or availability consequences, yielding an overall CVSS 4.0 score of 1.3. Publicly available exploit code exists (E:P in CVSS vector, GitHub PoC at carfeii/besen), though EPSS sits at 0.01% (2nd percentile), and no active exploitation has been confirmed by CISA KEV. Besen acknowledged the report as of April 2026 but no patched firmware version has been released.

Technical ContextAI

The affected component is the Bluetooth Low Energy (BLE) handler embedded in the Besen BS20 home EV charging station, identified by CPE cpe:2.3:a:besen:bs20_ev_charging_station:*:*:*:*:*:*:*:*. BLE is used as the primary local wireless interface for pairing, configuration, and potentially session authentication between the charger and a companion mobile app. CWE-521 (Weak Password Requirements) indicates the firmware does not enforce sufficient password strength, length, or complexity constraints on BLE-authenticated interactions, making credentials susceptible to enumeration or brute-force within radio range. The adjacent-network attack vector (AV:A) in CVSS 4.0 bounds exploitation to Bluetooth proximity (typically 10-100 meters), distinguishing this from internet-reachable vulnerabilities. The high attack complexity (AC:H) likely reflects the need to interact with specific BLE GATT services or characteristic handles and possibly to perform precise timing or sequencing of BLE operations.

RemediationAI

No vendor-released patch has been identified at time of analysis - Besen acknowledged the report as of April 2026 and stated they are reviewing the findings, but no fixed firmware version has been confirmed by NVD, ENISA EUVD, or the researcher's disclosure at https://github.com/carfeii/besen. Until a firmware update is available, defenders should apply the following compensating controls: restrict physical access to the charging station and its Bluetooth radio range, particularly in shared or semi-public environments where unauthorized individuals could approach within BLE proximity (10-100 meters); change any default or factory-set BLE credentials to strong, unique passphrases where the device interface permits, to raise the brute-force cost despite the weak enforcement policy; monitor companion mobile app logs or network traffic for anomalous BLE pairing attempts; and consider disabling BLE functionality entirely if the charger can be managed via an alternative interface, accepting the trade-off of losing remote mobile-app control. Customers should monitor the Besen vendor channel and VulDB entry https://vuldb.com/vuln/365375 for firmware update announcements.

CVE-2012-2441 HIGH POC
8.5 Apr 28

RuggedCom Rugged Operating System (ROS) before 3.3 has a factory account with a password derived from the MAC Address fi

CVE-2024-42850 CRITICAL POC
9.8 Aug 16

An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity

CVE-2025-28200 CRITICAL POC
9.8 May 09

Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits o

CVE-2025-28389 CRITICAL POC
9.8 Jun 13

Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br

CVE-2025-63747 CRITICAL POC
9.8 Nov 17

QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immedia

CVE-2023-37756 CRITICAL POC
9.8 Sep 14

I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creatio

CVE-2023-2160 CRITICAL POC
9.8 Apr 18

Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0. Rated critical severity (CVSS 9.8), this

CVE-2023-2106 CRITICAL POC
9.8 Apr 15

Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20. Rated critical severity (CVSS 9.8)

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-44236 CRITICAL POC
9.8 Dec 15

Beijing Zed-3 Technologies Co.,Ltd VoIP simpliclty ASG 8.5.0.17807 (20181130-16:12) has a Weak password vulnerability. R

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2022-3268 CRITICAL POC
9.8 Sep 22

Weak Password Requirements in GitHub repository ikus060/minarca prior to 4.2.2. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-9394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy