Severity by source
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.
AnalysisAI
Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a remote management service exposed on the vehicle-charger signaling channel and protected only by a default administrative credential. Affecting XCharge C6 firmware versions released before May 22, 2026, the issue was disclosed via CISA ICS-CERT advisory ICSA-26-148-08 with a CVSS 4.0 score of 8.6 and no public exploit identified at time of analysis.
Technical ContextAI
The affected device (cpe:2.3:a:xcharge:c6) is an electric vehicle charging station. The root cause is classified under CWE-1188 (Insecure Default Initialization of Resource): a management service that should be isolated to administrative networks is instead reachable through pins of the charging connector - typically reserved for low-level vehicle-to-charger signaling such as PWM control pilot or PLC communications used in protocols like ISO 15118 or SAE J1772 - and ships with a built-in administrative credential that is not forced to be changed at first use. Because the management interface trusts whichever endpoint negotiates a session on that channel, any device speaking the management protocol over the connector pins is treated as a legitimate operator.
RemediationAI
Patch available per vendor advisory - upgrade XCharge C6 firmware to the release dated May 22, 2026 or later as referenced in CISA advisory ICSA-26-148-08 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08); operators should also rotate the default administrative credential immediately after upgrade since the underlying weakness is an insecure default. Where patching is not immediately possible, compensating controls include restricting physical access to the charging connectors (gated bays, tamper-evident enclosures, CCTV monitoring of plug-in events), disabling the remote management service on the signaling channel if the vendor exposes a configuration toggle (trade-off: may break legitimate management workflows that ride the same channel), and network-segmenting the charger's back-end management VLAN so that a compromised unit cannot pivot into operator OT/IT networks (trade-off: requires re-architecting fleet management connectivity). Inventory and audit any C6 unit that has been deployed in publicly accessible locations for signs of unauthorized configuration changes.
Unauthorized firmware installation in the XCharge C6 charging controller stems from missing cryptographic signature veri
Stack-based buffer overflow in the XCharge C6 charging controller's signal-processing logic enables an attacker with phy
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33004
GHSA-9w95-xvpv-cvjw