Skip to main content

Besen BS20 CVE-2026-9395

| EUVDEUVD-2026-31547 LOW
Insufficiently Protected Credentials (CWE-522)
2026-05-24 VulDB GHSA-cvv7-f8m3-cjxx
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 13:06 vuln.today
CVSS changed
May 26, 2026 - 20:07 NVD
3.5 (LOW) 2.0 (LOW)

DescriptionCVE.org

A vulnerability was identified in Besen BS20 EV Charging Station up to 20260426. Affected is an unknown function of the component BLE/UDP. The manipulation leads to insufficiently protected credentials. The attack needs to be initiated within the local network. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."

AnalysisAI

Cleartext credential exposure in the Besen BS20 EV Charging Station's BLE and UDP interfaces allows an adjacent-network attacker with low privileges to intercept authentication material transmitted without adequate protection. All firmware versions up to 20260426 are affected per EUVD-2026-31547 and NVD CPE data. Publicly available exploit code exists per a researcher's GitHub disclosure; however, no CISA KEV listing and an EPSS of 0.01% (3rd percentile) indicate no confirmed widespread exploitation at time of analysis.

Technical ContextAI

The Besen BS20 is a home EV charging station that communicates over Bluetooth Low Energy (BLE) and UDP for local pairing, configuration, and authentication workflows - common IoT patterns for mobile-app-driven smart charging devices. CWE-522 (Insufficiently Protected Credentials) at its root means the device transmits or stores credentials without encryption or adequate obfuscation, making them recoverable by passive or active traffic interception. The researcher's GitHub disclosure (github.com/carfeii/besen, Finding 2) specifically identifies cleartext credential transmission across both the BLE and UDP protocol paths, implicating the application-layer handling of authentication data rather than a transport-layer cryptographic failure per se. The CPE string cpe:2.3:a:besen:bs20_ev_charging_station:*:*:*:*:*:*:*:* confirms the affected component is the device's software/firmware stack. BLE and UDP are inherently broadcast-friendly protocols; without explicit credential encryption layered on top, any adjacent receiver can passively harvest exchanged secrets during pairing or session establishment events.

RemediationAI

No vendor-released patch has been identified at time of analysis. Besen acknowledged the report and stated they are reviewing it as of April 2026, but no fix version or remediation timeline has been publicly confirmed - patch availability should be monitored via VulDB (https://vuldb.com/vuln/365376) and the NVD entry. As compensating controls: isolate the BS20 charging station on a dedicated VLAN or network segment accessible only to trusted client devices, directly reducing the population of potential adjacent-network attackers with access to UDP traffic. Disable or limit BLE pairing mode when active mobile-app pairing is not in progress, reducing the window during which BLE credential exchanges can be intercepted. If the LAN uses Wi-Fi, enforce WPA2 or WPA3 authentication to raise the barrier to passive UDP sniffing - though note this does not protect against attackers already legitimately connected to the network. Monitor local network traffic for anomalous UDP activity to or from the charging station as a detection measure. None of these workarounds eliminate the underlying cleartext credential transmission; they reduce attacker opportunity until a firmware fix is released.

Share

CVE-2026-9395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy