Description
A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.
Published: 2026-05-28
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a firmware update mechanism in XCharge C6 charging controllers that does not verify the authenticity of firmware packages delivered through the device's management interface. Cryptographic signatures are omitted, allowing an actor who can intercept or impersonate the management channel to install an unauthorized firmware package. The result is the ability to execute code with high privileges on the device, compromising its operation and potentially posing a danger to connected vehicles or infrastructure.

Affected Systems

All XCharge C6 charging controller firmware is impacted. No specific firmware version numbers are provided, so the existing VPN and management support for all C6 models requires remediation.

Risk and Exploitability

The CVSS score of 9.3 classifies this flaw as critical, and the attacker needs only a foothold in the management channel to exploit it. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, the public exploitation probability is unclear, but the high severity indicates that the potential impact drives a high-priority response. The most likely attack vector is remote or local access to the management interface; an attacker could use it as a foothold for further malicious activity if the device is networked.

Generated by OpenCVE AI on May 28, 2026 at 20:36 UTC.

Remediation

Vendor Solution

XCharge has confirmed that the update has been deployed for all affected chargers. Users with questions can reach out to XCharge Support for further details if needed. https://www.xcharge.com/contact

OpenCVE Recommended Actions

  • Install the XCharge‑provided firmware update for all affected C6 chargers
  • Restrict or disable external access to the device's management interface until the update is applied
  • Monitor logs for any unauthorized firmware update activity and investigate suspicious entries
  • If immediate update deployment is impossible, disable the management interface temporarily to prevent exploitation until the patch is installed

Generated by OpenCVE AI on May 28, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Xcharge
Xcharge c6
Vendors & Products Xcharge
Xcharge c6

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.
Title Download of code without integrity check in XCharge C6
Weaknesses CWE-494
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Xcharge C6
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-29T15:00:12.905Z

Reserved: 2026-05-19T16:54:38.351Z

Link: CVE-2026-9037

cve-icon Vulnrichment

Updated: 2026-05-29T14:59:56.852Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T20:16:27.093

Modified: 2026-05-29T15:42:56.873

Link: CVE-2026-9037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:58Z

Weaknesses