Skip to main content

Besen BS20 CVE-2026-9396

| EUVDEUVD-2026-31552 LOW
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-05-24 VulDB GHSA-8j4m-2qxx-4mqg
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 13:09 vuln.today
CVSS changed
May 26, 2026 - 20:07 NVD
3.7 (LOW) 2.9 (LOW)

DescriptionCVE.org

A security flaw has been discovered in Besen BS20 EV Charging Station up to 20260426. Affected by this vulnerability is an unknown functionality of the component Firmware Version Check. The manipulation results in improper restriction of rendered ui layers. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitation appears to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."

AnalysisAI

UI layer spoofing in the Besen BS20 EV Charging Station's Firmware Version Check component allows remote unauthenticated attackers to manipulate rendered UI layers (CWE-1021), producing falsified firmware version displays with a limited integrity impact on the vulnerable system. All firmware builds up to 20260426 are affected per ENISA EUVD-2026-31552, with a publicly documented proof-of-concept available on GitHub. Vendor acknowledgment was received as of April 2026 with no released patch confirmed - attack complexity is rated High and EPSS exploitation probability sits at 0.03% (8th percentile), indicating negligible real-world exploitation likelihood at this time.

Technical ContextAI

CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) describes a vulnerability class where an application fails to prevent an attacker from overlaying or spoofing UI elements presented to users - classically associated with clickjacking but here manifesting as firmware version manipulation and UI spoofing in the device's Firmware Version Check interface. The affected product is identified by CPE cpe:2.3:a:besen:bs20_ev_charging_station:*:*:*:*:*:*:*:*, an embedded EV charging station controller produced by Besen. The Firmware Version Check component, likely exposed via a web-based management interface, does not properly restrict rendered UI layers, enabling an attacker to cause the device to present falsified firmware version information to administrators. The XSS tag applied by VulDB's intelligence pipeline suggests a possible cross-site scripting dimension to the attack surface, though the primary CWE classification points specifically to UI layer restriction failure rather than script injection. Notably, CWE-1021 vulnerabilities canonically require user interaction, which creates a tension with the CVSS 4.0 UI:N assignment that warrants verification against the researcher's published POC.

RemediationAI

No vendor-released patch has been confirmed at the time of analysis - Besen acknowledged receipt of the disclosure and indicated active review as of April 2026, per the original researcher disclosure, but no fix version or timeline has been published. Operators should monitor VulDB advisory https://vuldb.com/vuln/365377 and the Besen vendor channel for patch announcements. As a primary compensating control, restrict network access to the BS20 management interface - specifically the Firmware Version Check endpoint - to trusted administrative VLANs or subnets only, directly reducing exposure given the AV:N attack vector; this limits operational flexibility by requiring administrators to access the interface from approved network segments. Where operationally feasible, disabling remote management access entirely eliminates the attack vector at the cost of requiring local or console-based firmware management. Operators should independently verify device firmware integrity through out-of-band means (e.g., physical inspection, vendor-provided hash verification) rather than relying solely on the web UI display, which is the vector for the falsified output.

Share

CVE-2026-9396 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy