CVE-2026-9039 - Vulnerability Details

- Initialization of a resource with an insecure default in XCharge C6

Description

A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.

Published: 2026-05-28

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

XCharge C6 chargers expose a remote‑management service on the vehicle‑charger signaling interface using a default administrative credential. The misconfiguration allows an authenticated session to be forged by any device that is physically connected to the charging port. Once authenticated, the attacker gains full administrative control over the charger, enabling configuration changes, firmware updates, or malicious service manipulation with the potential for arbitrary code execution or denial of service. This flaw is a classic case of a default credential weakness (CWE‑1188).

Affected Systems

The vulnerability affects XCharge C6 electric vehicle chargers. No specific firmware versions are listed, indicating that all released models could be impacted until the vendor’s patch is applied.

Risk and Exploitability

The CVSS score of 8.6 classifies the issue as high severity, and although no EPSS score is available, the requirement of only a direct physical connection to the charging port greatly lowers the barrier to exploitation in environments where vehicle owners or attackers can attach a device. The vulnerability is not listed in the CISA KEV catalog, but its potential for full administrative takeover makes it a critical risk for facilities that rely on secure operations of their charging infrastructure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

XCharge

unaffected

Version	Status	Constraints
`0`	affected	< May_22_2026

No data.

Vendor Product Confidence Versions

Xcharge

100%

Version	Status	Scheme	Platform
`[0,May_22_2026)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

XCharge has confirmed that the update has been deployed for all affected chargers. Users with questions can reach out to XCharge Support for further details if needed. https://www.xcharge.com/contact

OpenCVE Recommended Actions

Apply the vendor‑supplied firmware update for XCharge C6.
After updating, change the default administrative credential to a strong, unique password.
Disable or restrict the remote‑management interface on the charging‑port signaling channel so that only authorized management networks can access it.

Generated by OpenCVE AI on May 28, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08

History

Fri, 29 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xcharge Xcharge c6
Vendors & Products		Xcharge Xcharge c6

Fri, 29 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.
Title		Initialization of a resource with an insecure default in XCharge C6
Weaknesses		CWE-1188
References		https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08
Metrics		cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

Subscriptions

Xcharge C6

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-05-28T19:07:09.065Z

Updated: 2026-05-29T15:01:35.931Z

Reserved: 2026-05-19T16:54:40.242Z

Link: CVE-2026-9039

Vulnrichment

Updated: 2026-05-29T15:01:30.772Z

NVD

Status : Awaiting Analysis

Published: 2026-05-28T20:16:27.350

Modified: 2026-05-29T15:42:56.873

Link: CVE-2026-9039

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T15:47:55Z

Weaknesses

CWE-1188

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object