The vulnerability permits an attacker on the local network to exploit a weak password requirement in the Bluetooth Low Energy handler of the Besen BS20 EV Charging Station. By manipulating the BLE interface it becomes possible to authenticate without the strong credentials normally expected, allowing the attacker to control charging operations or gain access to device state information. This weakness arises from inadequate authentication (CWE‑521) and could lead to unauthorized configuration changes or misuse of the charging session, compromising the confidentiality and integrity of the charging process.

Besen BS20 EV Charging Station, firmware versions released through 2026‑04‑26 are affected. No specific model or version sub‑range beyond the upstream release date is detailed.

The CVSS base score of 2.3 indicates low systemic impact under the current conditions; however, the attack requires physical proximity within the local network and has a high complexity and difficult exploitability rating. Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the probability of widespread exploitation is considered low but the local nature of the attack means that any compromised network segment could be used to enumerate or manipulate the charging station. There is no currently available public exploit, but the weakness is exploitable if the attacker can induce the device to perform a BLE interaction, thus significant risk remains for local network owners.