Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A weakness has been identified in Besen BS20 EV Charging Station up to 20260426. Affected by this issue is some unknown functionality of the component OTA Update Installation Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."
AnalysisAI
Improper authorization in the OTA Update Installation Handler of Besen BS20 EV Charging Station versions up to 20260426 allows remote attackers to install spoofed firmware updates on affected charging stations. The flaw is network-reachable with no authentication required, but exploitation carries high attack complexity (CVSS 4.0 8.2), and publicly available exploit code exists via the original researcher disclosure on GitHub. EPSS rates exploitation probability at only 0.04% (12th percentile), and CISA SSVC flags exploitation status as 'none' despite the public proof-of-concept.
Technical ContextAI
The vulnerability resides in the Over-The-Air (OTA) firmware update mechanism of the Besen BS20 EV charging station, an embedded device used in electric vehicle charging infrastructure. The root cause is classified as CWE-285 (Improper Authorization), meaning the OTA Update Installation Handler fails to properly validate the authority or authenticity of incoming firmware update payloads before installing them. Per the researcher's disclosure (carfeii/besen on GitHub, 'Finding 4 - Unauthorized Firmware Installation via Spoofed OTA Updates'), the handler accepts firmware updates that have been spoofed or are otherwise not properly attested, enabling an unauthorized party to push attacker-controlled firmware. The affected CPE is cpe:2.3:a:besen:bs20_ev_charging_station:*:*:*:*:*:*:*:*, covering all versions up to and including build 20260426.
RemediationAI
Patch available per vendor advisory according to the input data, though no vendor-hosted advisory URL is included in the references - operators should contact Besen directly to obtain a firmware release later than 20260426, since Besen acknowledged review of the report as of April 2026. The only patch-tagged reference is the researcher's write-up at https://github.com/carfeii/besen#finding-4-unauthorized-firmware-installation-via-spoofed-ota-updates, which documents the finding rather than a vendor release. Until a confirmed fixed firmware is deployed, restrict network reachability of the BS20 OTA update endpoint by placing charging stations behind a management VLAN or firewall that blocks inbound connections from untrusted networks (trade-off: legitimate remote OTA from the vendor cloud must be explicitly allowlisted), disable any internet-facing remote management interfaces if operationally tolerable, and monitor station firmware version strings for unexpected changes as a detective control. Refer to https://nvd.nist.gov/vuln/detail/CVE-2026-9397 and https://vuldb.com/vuln/365378 for tracking updates.
More in Bs20 Ev Charging Station
View allUI layer spoofing in the Besen BS20 EV Charging Station's Firmware Version Check component allows remote unauthenticated
Cleartext credential exposure in the Besen BS20 EV Charging Station's BLE and UDP interfaces allows an adjacent-network
Unauthenticated capture-replay authentication bypass in the Besen BS20 EV Charging Station (firmware up to 20260426) exp
Weak password requirements in the Bluetooth Low Energy (BLE) handler of the Besen BS20 EV Charging Station (firmware up
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31551
GHSA-2468-xgpc-jvv7