CVE-2026-0778 - Vulnerability Details

- Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability

Description

Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Enel X JuiceBox 40 charging stations. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the telnet service, which listens on TCP port 2000 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23285.

Published: 2026-01-23

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing authentication check in the telnet service on Enel X JuiceBox 40 charging stations permits an attacker to run arbitrary code with the privileges of the service account. The telnet service listens on TCP port 2000 by default and does not require any credentials; thus, authentication is not enforced before allowing remote connections. Based on the description, it is inferred that an attacker who can reach the network can connect to this port and execute code, resulting in full compromise of the device’s confidentiality, integrity, and availability.

Affected Systems

The affected product is the Enel X JuiceBox 40 charging station. No specific firmware revisions or version ranges are provided, so all units that ship with the default telnet service enabled should be considered vulnerable.

Risk and Exploitability

The CVSS score is 8.8, indicating a severe risk. The EPSS score is reported as less than 1%, which suggests that current exploitation rates are very low, yet the weakness remains present. This vulnerability is not listed in CISA’s KEV catalog. It is inferred that the likely attack vector is any network element that can access the telnet port—such as nearby sensors or management devices on the same local network—because authentication is not required, making the exploit straightforward for an attacker with network access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Enel X

JuiceBox 40

unknown

Version	Status	Constraints
`4.2.7`	affected	—

No data.

Vendor	Product	Confidence	Versions
Enel X	Juicebox 40	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Disable the telnet service entirely on all JuiceBox 40 units if it is not needed for operations.
If the service must remain, use firewall rules to block TCP port 2000 from all networks except the internal management network.
Apply any vendor‑released firmware or security update that adds authentication to the telnet service or otherwise removes the unauthenticated access path.

Generated by OpenCVE AI on April 18, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00278.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.zerodayinitiative.com/advisories/ZDI-26-041/

History

Fri, 23 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Enel X Enel X juicebox 40
Vendors & Products		Enel X Enel X juicebox 40

Fri, 23 Jan 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Enel X JuiceBox 40 charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the telnet service, which listens on TCP port 2000 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23285.
Title		Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability
Weaknesses		CWE-306
References		https://www.zerodayinitiative.com/advisories/ZDI-26-041/
Metrics		cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Enel X Juicebox 40

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-01-23T03:29:50.413Z

Updated: 2026-01-23T19:15:17.480Z

Reserved: 2026-01-08T22:51:00.955Z

Link: CVE-2026-0778

Vulnrichment

Updated: 2026-01-23T19:15:12.269Z

NVD

Status : Deferred

Published: 2026-01-23T04:16:05.073

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0778

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object