Skip to main content

Evbee DC-80 EUVDEUVD-2026-43332

| CVE-2026-22098 CRITICAL
Insertion of Sensitive Information into Log File (CWE-532)
2026-07-13 DIVD
9.2
CVSS 4.0 · Vendor: DIVD
Share

Severity by source

Vendor (DIVD) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Assuming logs are network-reachable per the source vector: unauthenticated low-complexity read (AV:N/AC:L/PR:N/UI:N) with high confidentiality and scope change (S:C) because exposed credentials/UIDs compromise other systems; no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (DIVD).

CVSS VectorVendor: DIVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 13, 2026 - 12:01 EUVD
Analysis Generated
Jul 13, 2026 - 11:11 vuln.today
CVE Published
Jul 13, 2026 - 09:10 cve.org
CRITICAL 9.2

DescriptionCVE.org

Various sensitive information such as passwords and charging card UIDs are written to log files.

AnalysisAI

Sensitive-data logging in the Evbee DC-80 DC EV charger writes secrets such as user passwords and charging card (RFID) UIDs in cleartext to log files, per DIVD advisory DIVD-2026-00001. The supplied CVSS 4.0 base score of 9.2 reflects high confidentiality impact to both the vulnerable system and downstream systems that reuse those credentials, so anyone able to read the logs can harvest reusable authentication material. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed charger log interface
Delivery
Retrieve Evbee DC-80 log files
Exploit
Extract plaintext passwords and card UIDs
Execution
Replay credentials/UIDs to authenticate
Impact
Obtain unauthorized charging or account access

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to obtain the Evbee DC-80's log files, which contain the sensitive data written per CWE-532; the supplied CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, unauthenticated access with no user interaction, implying the logs are exposed via a network-accessible interface on the charger. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H) rates this network-reachable, low-complexity, and unauthenticated with high confidentiality impact plus a subsequent-system confidentiality impact (SC:H) - consistent with harvested passwords/UIDs unlocking other systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the charger's log files - via an exposed management/web interface, a log-export function, or local/physical access to the device - retrieves the logs and reads plaintext user passwords and charging card UIDs. The attacker then replays those UIDs and credentials to obtain free charging, impersonate legitimate users, or pivot into any backend account that shares the exposed password. …
Remediation No vendor-released patch version was identified at time of analysis; consult the DIVD advisory at https://csirt.divd.nl/DIVD-2026-00001/ for current fix status and apply the vendor's patched firmware once it is released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, immediately restrict administrative access to DC-80 charger log files using operating system-level permissions and audit existing logs for unauthorized access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43332 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy