Skip to main content

Besen BS20 EV Charging Station CVE-2026-9397

| EUVDEUVD-2026-31551 HIGH
Improper Authorization (CWE-285)
2026-05-24 VulDB GHSA-2468-xgpc-jvv7
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 09:56 vuln.today
CVSS changed
May 26, 2026 - 20:07 NVD
8.1 (HIGH) 8.2 (HIGH)

DescriptionCVE.org

A weakness has been identified in Besen BS20 EV Charging Station up to 20260426. Affected by this issue is some unknown functionality of the component OTA Update Installation Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."

AnalysisAI

Improper authorization in the OTA Update Installation Handler of Besen BS20 EV Charging Station versions up to 20260426 allows remote attackers to install spoofed firmware updates on affected charging stations. The flaw is network-reachable with no authentication required, but exploitation carries high attack complexity (CVSS 4.0 8.2), and publicly available exploit code exists via the original researcher disclosure on GitHub. EPSS rates exploitation probability at only 0.04% (12th percentile), and CISA SSVC flags exploitation status as 'none' despite the public proof-of-concept.

Technical ContextAI

The vulnerability resides in the Over-The-Air (OTA) firmware update mechanism of the Besen BS20 EV charging station, an embedded device used in electric vehicle charging infrastructure. The root cause is classified as CWE-285 (Improper Authorization), meaning the OTA Update Installation Handler fails to properly validate the authority or authenticity of incoming firmware update payloads before installing them. Per the researcher's disclosure (carfeii/besen on GitHub, 'Finding 4 - Unauthorized Firmware Installation via Spoofed OTA Updates'), the handler accepts firmware updates that have been spoofed or are otherwise not properly attested, enabling an unauthorized party to push attacker-controlled firmware. The affected CPE is cpe:2.3:a:besen:bs20_ev_charging_station:*:*:*:*:*:*:*:*, covering all versions up to and including build 20260426.

RemediationAI

Patch available per vendor advisory according to the input data, though no vendor-hosted advisory URL is included in the references - operators should contact Besen directly to obtain a firmware release later than 20260426, since Besen acknowledged review of the report as of April 2026. The only patch-tagged reference is the researcher's write-up at https://github.com/carfeii/besen#finding-4-unauthorized-firmware-installation-via-spoofed-ota-updates, which documents the finding rather than a vendor release. Until a confirmed fixed firmware is deployed, restrict network reachability of the BS20 OTA update endpoint by placing charging stations behind a management VLAN or firewall that blocks inbound connections from untrusted networks (trade-off: legitimate remote OTA from the vendor cloud must be explicitly allowlisted), disable any internet-facing remote management interfaces if operationally tolerable, and monitor station firmware version strings for unexpected changes as a detective control. Refer to https://nvd.nist.gov/vuln/detail/CVE-2026-9397 and https://vuldb.com/vuln/365378 for tracking updates.

Share

CVE-2026-9397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy