Which versions of XCharge C6 are affected by EUVD-2026-33002?

XCharge C6 charging controllers lack cryptographic signature verification on firmware updates, enabling remote attackers with management interface access to install malicious code and execute with…

XCharge C6 EUVD-2026-33002

Q: What is the CVSS score of EUVD-2026-33002?

EUVD-2026-33002 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

| CVE-2026-9037 CRITICAL

Download of Code Without Integrity Check (CWE-494)

2026-05-28 icscert

GHSA-6qw7-34qq-r69v

Authentication Bypass C6

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 20:23 vuln.today

CVSS changed

May 28, 2026 - 20:22 NVD

9.3 (CRITICAL)

DescriptionNVD

A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.

AnalysisAI

Unauthorized firmware installation in the XCharge C6 charging controller stems from missing cryptographic signature verification in its management-channel update mechanism, enabling remote attackers who can interpose on or impersonate the management interface to push malicious firmware. Successful exploitation yields high-privilege code execution on the EV charging device, and the issue is tracked in CISA ICS advisory ICSA-26-148-08 with no public exploit identified at time of analysis.

RemediationAI

24 hours: Inventory all XCharge C6 charging controllers and obtain CISA ICS Advisory ICSA-26-148-08 to verify affected firmware versions. 7 days: Implement network-layer segmentation-restrict management interface access to dedicated administrative VLANs and require VPN authentication for remote management operations. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-33002 vulnerability details – vuln.today

Back

XCharge C6 EUVD-2026-33002

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

XCharge C6 EUVD-2026-33002

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code