Skip to main content

Besen BS20 CVE-2026-9398

| EUVDEUVD-2026-31550 LOW
Authentication Bypass by Capture-replay (CWE-294)
2026-05-24 VulDB GHSA-vvwr-2pc3-326q
1.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.3 LOW
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 13:04 vuln.today
CVSS changed
May 26, 2026 - 20:07 NVD
3.1 (LOW) 1.3 (LOW)

DescriptionCVE.org

A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."

AnalysisAI

Unauthenticated capture-replay authentication bypass in the Besen BS20 EV Charging Station (firmware up to 20260426) exposes the device's BLE/WiFi interface to unauthorized command injection. An attacker physically adjacent to the charger can intercept and replay wireless authentication tokens to issue tampered charging commands without valid credentials. No patch has been released as of the analysis date; the vendor acknowledged the report in April 2026 and confirmed they are reviewing it. Publicly available proof-of-concept code exists (CVSS E:P), though exploitation probability remains very low (EPSS 0.03%, 11th percentile), consistent with the high attack complexity and adjacent-only access requirement.

Technical ContextAI

The vulnerability stems from CWE-294 (Authentication Bypass by Capture-Replay), a class of weakness in which an authentication mechanism relies on a token or credential that can be intercepted and retransmitted verbatim to gain unauthorized access. In this case, the affected surface is the BLE (Bluetooth Low Energy) and/or WiFi wireless communication stack of the Besen BS20 EV charging station. These protocols are commonly used in IoT charging infrastructure to allow mobile apps or backend systems to issue commands (start/stop charging, adjust current, etc.). If authentication tokens exchanged over these channels are not protected by challenge-response mechanisms or nonce-based schemes, a passive observer within radio range can capture a valid session token and replay it later to impersonate a legitimate controller. The affected CPE is cpe:2.3:a:besen:bs20_ev_charging_station:*:*:*:*:*:*:*:* covering all BS20 firmware versions through 20260426, as confirmed by EUVD-2026-31550.

RemediationAI

No vendor-released patch has been identified at time of analysis. Besen acknowledged the vulnerability report in April 2026 and stated they are reviewing the issues; no fix version has been confirmed by the vendor or independently verified. Until a firmware update is released, operators should implement the following compensating controls: restrict physical access to areas within BLE radio range of the charger to authorized personnel only, which directly limits the attacker's ability to capture wireless traffic; disable WiFi connectivity on the BS20 if BLE-only operation is sufficient, reducing the wireless attack surface by eliminating one of the two affected protocols; deploy network segmentation to isolate charging station WiFi networks from general corporate or public networks, preventing lateral movement if a replay succeeds; and monitor for anomalous charger command sequences (e.g., repeated start/stop cycles, unexpected current adjustments) that could indicate replay activity. Note that disabling WiFi may affect remote monitoring or backend integration capabilities. Operators should monitor the VulDB advisory at https://vuldb.com/vuln/365379 and the vendor's channels for patch availability.

Share

CVE-2026-9398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy