Description
The massive sending of ICMP requests causes a denial of service on one of the boards from the EVCharger that allows control the EV interfaces. Since the board must be operating correctly for the charger to also function correctly.
Published: 2026-01-07
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises when an attacker sends a large volume of ICMP packets to an EVCharger board. This flood overwhelms the board’s processing resources and causes the board to become unresponsive, resulting in a denial of service for the electronic vehicle charging operation. The weakness is a classic denial‑of‑service flaw (CWE‑400) that disrupts the availability of the charging service.

Affected Systems

Vendors affected are EFACEC’s QC series EVCharger boards, specifically models QC 60, QC 90 and QC 120. These boards manage the interface controlling the electric vehicle charging process. The vulnerability is documented by Thales Group and can be found on the vendor’s site.

Risk and Exploitability

Based on the description, the likely attack vector is that an attacker sends ICMP traffic from a network that can reach the charging station. The attack requires no special privileges on the target device and can be launched remotely if ICMP traversal is allowed. The CVSS base score is 8.2, indicating a high‑severity impact. The EPSS score is under 1 %, meaning the probability of exploitation in the near term is low, and the vulnerability is not currently listed in CISA’s KEV.

Generated by OpenCVE AI on April 18, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install any vendor‑released update that fixes the ICMP denial of service issue.
  • Configure device or network firewalls to rate‑limit or block ICMP echo requests and replies reaching the EVCharger boards.
  • Segregate the charging station from untrusted networks and apply network segmentation or VLAN isolation to limit the scope of potential ICMP attacks.

Generated by OpenCVE AI on April 18, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://cds.thalesgroup.com/en cve-icon cve-icon
History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Efacec
Efacec qc 120
Efacec qc 60
Efacec qc 90
Vendors & Products Efacec
Efacec qc 120
Efacec qc 60
Efacec qc 90

Wed, 07 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description The massive sending of ICMP requests causes a denial of service on one of the boards from the EVCharger that allows control the EV interfaces. Since the board must be operating correctly for the charger to also function correctly.
Title DENIAL OF SERVICE VIA ICMP PACKETS
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Efacec Qc 120 Qc 60 Qc 90
cve-icon MITRE

Status: PUBLISHED

Assigner: S21sec

Published:

Updated: 2026-01-07T15:29:55.282Z

Reserved: 2026-01-07T14:01:04.829Z

Link: CVE-2026-22541

cve-icon Vulnrichment

Updated: 2026-01-07T15:28:13.448Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T16:15:51.593

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses