CVE-2026-9039

Summary

A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.

Affected Software

VendorProductVersion RangeStatus
XChargeC60 < May_22_2026affected

Weaknesses

  • CWE-1188: CWE-1188 Initialization of a resource with an insecure default

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References