C6
Monthly
Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a remote management service exposed on the vehicle-charger signaling channel and protected only by a default administrative credential. Affecting XCharge C6 firmware versions released before May 22, 2026, the issue was disclosed via CISA ICS-CERT advisory ICSA-26-148-08 with a CVSS 4.0 score of 8.6 and no public exploit identified at time of analysis.
Stack-based buffer overflow in the XCharge C6 charging controller's signal-processing logic enables an attacker with physical access to the charging interface to corrupt memory by sending oversized message fields, potentially gaining code execution with elevated privileges. Reported through CISA's ICS-CERT under advisory ICSA-26-148-08, the flaw carries a CVSS 4.0 score of 8.6 driven by high impact to confidentiality, integrity, and availability of both the vulnerable component and adjacent subsystems. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthorized firmware installation in the XCharge C6 charging controller stems from missing cryptographic signature verification in its management-channel update mechanism, enabling remote attackers who can interpose on or impersonate the management interface to push malicious firmware. Successful exploitation yields high-privilege code execution on the EV charging device, and the issue is tracked in CISA ICS advisory ICSA-26-148-08 with no public exploit identified at time of analysis.
Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a remote management service exposed on the vehicle-charger signaling channel and protected only by a default administrative credential. Affecting XCharge C6 firmware versions released before May 22, 2026, the issue was disclosed via CISA ICS-CERT advisory ICSA-26-148-08 with a CVSS 4.0 score of 8.6 and no public exploit identified at time of analysis.
Stack-based buffer overflow in the XCharge C6 charging controller's signal-processing logic enables an attacker with physical access to the charging interface to corrupt memory by sending oversized message fields, potentially gaining code execution with elevated privileges. Reported through CISA's ICS-CERT under advisory ICSA-26-148-08, the flaw carries a CVSS 4.0 score of 8.6 driven by high impact to confidentiality, integrity, and availability of both the vulnerable component and adjacent subsystems. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthorized firmware installation in the XCharge C6 charging controller stems from missing cryptographic signature verification in its management-channel update mechanism, enabling remote attackers who can interpose on or impersonate the management interface to push malicious firmware. Successful exploitation yields high-privilege code execution on the EV charging device, and the issue is tracked in CISA ICS advisory ICSA-26-148-08 with no public exploit identified at time of analysis.