CVE-2026-9039

A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.

Published: 5/28/2026Modified: 5/29/2026

Related Intelligence (1)

CRITICALPhishing

XCharge C6

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-08.json"><strong>View CSAF</strong></a></p> <h2>Summary</h2> <p><strong>Successful exploitation of these vulnerabilities could allow an attacker to gain administrator rights or execute code on the affected device.</strong></p> <p>The following versions of XCharge C6 are affected:</p> <ul> <li>C6</li> </ul

CVE-2026-9037CVE-2026-9038
CISA Advisories

References (1)

https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08