Dc 80
Monthly
Command injection in the evbee DC-80 EV charger allows remote unauthenticated attackers to execute arbitrary operating-system commands via the 'NPC start' endpoint exposed on the device's web server at TCP port 8090. Reported by DIVD (Dutch Institute for Vulnerability Disclosure), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable vector (AV:N/PR:N/UI:N) and high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; no EPSS score was supplied.
Sensitive-data logging in the Evbee DC-80 DC EV charger writes secrets such as user passwords and charging card (RFID) UIDs in cleartext to log files, per DIVD advisory DIVD-2026-00001. The supplied CVSS 4.0 base score of 9.2 reflects high confidentiality impact to both the vulnerable system and downstream systems that reuse those credentials, so anyone able to read the logs can harvest reusable authentication material. No public exploit identified at time of analysis.
Arbitrary code execution in the EVBEE DC-80 EV charging station stems from a firmware update mechanism that ships without cryptographic signature validation (CWE-347), letting an attacker who reaches the update capability push a malicious firmware image and have it executed by the device. Reported by DIVD (advisory DIVD-2026-00001) with a CVSS 4.0 base score of 9.3 and a 'Jwt Attack' angle noted in triage tags, the flaw grants full compromise of the charger. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Bluetooth authentication bypass in the Evbee DC-80 DC EV charging station lets an attacker within radio range issue privileged commands without any credentials, enabling sensitive information disclosure, forced reboots, and - most dangerously - the ability to push an arbitrary firmware update URL to the device. Reported by DIVD (DIVD-2026-00001), it carries CVSS 4.0 base 8.7 (High). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Arbitrary file write in the Evbee DC-80 EV charging station lets remote unauthenticated attackers overwrite any file on the device by sending a POST request whose Content-Disposition filename parameter is trusted without validation. Because a written file can clobber system files (denial of service) or replace shell scripts that are later executed, this escalates to remote code execution. There is no public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CWE-20 root cause make this a critical, high-priority flaw.
Missing authentication on the evbee DC-80 EV charging station exposes an administrative web server on TCP port 8090 that requires no login, allowing remote unauthenticated attackers to read sensitive data such as configured passwords and to upload arbitrary files via multiple endpoints. Reported through the DIVD CSIRT coordinated-disclosure program (DIVD-2026-00001), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable, no-privilege vector. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
OS command injection in the EVBEE DC-80 electric-vehicle DC charger lets an actor who can send OCPP messages execute arbitrary commands as root by tampering with the data value of the vendor-specific `ReserveLogin` DataTransfer message. The flaw was reported by DIVD (Dutch Institute for Vulnerability Disclosure) and affects the charger's OCPP handling; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because execution occurs as root, successful exploitation results in full compromise of the charging station.
Remote code execution in the evbee DC-80 EV charging station is possible through a command injection flaw in the network diagnosis endpoint exposed on the web server at TCP port 8090. Because the CVSS 4.0 vector specifies no privileges and no user interaction (AV:N/PR:N/UI:N), a remote unauthenticated attacker who can reach port 8090 can inject operating-system commands and fully compromise the device. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the DIVD coordinated disclosure and 9.3 (Critical) score make it a high-priority defect.
Command injection in the evbee DC-80 EV charger allows remote unauthenticated attackers to execute arbitrary operating-system commands via the 'NPC start' endpoint exposed on the device's web server at TCP port 8090. Reported by DIVD (Dutch Institute for Vulnerability Disclosure), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable vector (AV:N/PR:N/UI:N) and high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; no EPSS score was supplied.
Sensitive-data logging in the Evbee DC-80 DC EV charger writes secrets such as user passwords and charging card (RFID) UIDs in cleartext to log files, per DIVD advisory DIVD-2026-00001. The supplied CVSS 4.0 base score of 9.2 reflects high confidentiality impact to both the vulnerable system and downstream systems that reuse those credentials, so anyone able to read the logs can harvest reusable authentication material. No public exploit identified at time of analysis.
Arbitrary code execution in the EVBEE DC-80 EV charging station stems from a firmware update mechanism that ships without cryptographic signature validation (CWE-347), letting an attacker who reaches the update capability push a malicious firmware image and have it executed by the device. Reported by DIVD (advisory DIVD-2026-00001) with a CVSS 4.0 base score of 9.3 and a 'Jwt Attack' angle noted in triage tags, the flaw grants full compromise of the charger. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Bluetooth authentication bypass in the Evbee DC-80 DC EV charging station lets an attacker within radio range issue privileged commands without any credentials, enabling sensitive information disclosure, forced reboots, and - most dangerously - the ability to push an arbitrary firmware update URL to the device. Reported by DIVD (DIVD-2026-00001), it carries CVSS 4.0 base 8.7 (High). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Arbitrary file write in the Evbee DC-80 EV charging station lets remote unauthenticated attackers overwrite any file on the device by sending a POST request whose Content-Disposition filename parameter is trusted without validation. Because a written file can clobber system files (denial of service) or replace shell scripts that are later executed, this escalates to remote code execution. There is no public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CWE-20 root cause make this a critical, high-priority flaw.
Missing authentication on the evbee DC-80 EV charging station exposes an administrative web server on TCP port 8090 that requires no login, allowing remote unauthenticated attackers to read sensitive data such as configured passwords and to upload arbitrary files via multiple endpoints. Reported through the DIVD CSIRT coordinated-disclosure program (DIVD-2026-00001), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable, no-privilege vector. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
OS command injection in the EVBEE DC-80 electric-vehicle DC charger lets an actor who can send OCPP messages execute arbitrary commands as root by tampering with the data value of the vendor-specific `ReserveLogin` DataTransfer message. The flaw was reported by DIVD (Dutch Institute for Vulnerability Disclosure) and affects the charger's OCPP handling; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because execution occurs as root, successful exploitation results in full compromise of the charging station.
Remote code execution in the evbee DC-80 EV charging station is possible through a command injection flaw in the network diagnosis endpoint exposed on the web server at TCP port 8090. Because the CVSS 4.0 vector specifies no privileges and no user interaction (AV:N/PR:N/UI:N), a remote unauthenticated attacker who can reach port 8090 can inject operating-system commands and fully compromise the device. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the DIVD coordinated disclosure and 9.3 (Critical) score make it a high-priority defect.