Description
A security flaw has been discovered in Besen BS20 EV Charging Station up to 20260426. Affected by this vulnerability is an unknown functionality of the component Firmware Version Check. The manipulation results in improper restriction of rendered ui layers. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitation appears to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."
Published: 2026-05-24
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper restriction of rendered UI layers in the firmware version check component of Besen BS20 EV charging stations. Manipulating the component causes UI layers to be incorrectly displayed or omitted, allowing an attacker to spoof or bypass the firmware update validation UI.

Affected Systems

Affected systems are Besen BS20 EV charging stations running firmware versions up to 20260426. The flaw resides in the Firmware Version Check component and permits remote exploitation, but a high complexity level makes successful exploitation difficult.

Risk and Exploitability

Risk: CVSS score 6.3 indicates moderate severity, pointing to potential substantive abuse and impact. EPSS information is not available, so exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. The exploit requires remote access and moderate to high effort, making it nontrivial but possible against a targeted device. Mitigation involves applying firmware updates that mitigate the UI layer manipulation flaw.

Generated by OpenCVE AI on May 24, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Besen BS20 EV charging station firmware to a version that includes the Firmware Version Check patch, ensuring the UI layer restrictions function correctly.
  • Restrict network access to the charging station’s UI by implementing VLANs and firewall rules that allow connections only from trusted management devices.
  • Enable and monitor logs for anomalous UI layer rendering or firmware update attempts, and configure alerts for suspicious activity.

Generated by OpenCVE AI on May 24, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Besen BS20 EV Charging Station up to 20260426. Affected by this vulnerability is an unknown functionality of the component Firmware Version Check. The manipulation results in improper restriction of rendered ui layers. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitation appears to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."
Title Besen BS20 EV Charging Station Firmware Version Check ui layer
First Time appeared Besen
Besen bs20 Ev Charging Station
Weaknesses CWE-1021
CPEs cpe:2.3:a:besen:bs20_ev_charging_station:*:*:*:*:*:*:*:*
Vendors & Products Besen
Besen bs20 Ev Charging Station
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Besen Bs20 Ev Charging Station
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T20:15:11.018Z

Reserved: 2026-05-24T06:18:58.081Z

Link: CVE-2026-9396

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T21:30:08Z

Weaknesses