PatchSiren cyber security CVE debrief
CVE-2026-9394 Besen CVE debrief
A low-severity vulnerability (CVSS 4.0: 1.3) affects Besen BS20 EV Charging Station firmware versions up to 20260426. The issue resides in the Bluetooth Low Energy (BLE) Handler component, where weak password requirements can be exploited through manipulation. Attack complexity is high, requiring local network access and difficult exploit conditions. The vulnerability was disclosed to Besen in April 2026, with vendor acknowledgment of ongoing review. No known exploitation in the wild or ransomware campaign use has been reported. The CVE was published on 2026-05-24 and last modified on 2026-05-26.
- Vendor
- Besen
- Product
- BS20 EV Charging Station
- CVSS
- LOW 1.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-24
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-24
- Advisory updated
- 2026-05-26
Who should care
Operators of Besen BS20 EV charging infrastructure, facilities managers with EV charging deployments, IoT/OT security teams, and organizations with electric vehicle fleet charging stations.
Technical summary
The Besen BS20 EV Charging Station's Bluetooth Low Energy Handler implements insufficient password requirements, allowing potential authentication manipulation. The attack requires local network proximity and is characterized by high complexity with difficult exploitability. The vulnerability is classified under CWE-521 (Weak Password Requirements). No proof-of-concept exploitation details are publicly available.
Defensive priority
LOW
Recommended defensive actions
- Review Besen BS20 firmware update availability beyond version 20260426
- Audit EV charging station BLE authentication configurations
- Monitor vendor security advisories for patch release
- Implement network segmentation for EV charging infrastructure
- Assess password policy enforcement on IoT/OT devices
Evidence notes
Source references indicate researcher disclosure via GitHub and Vuldb submission. Vendor acknowledgment documented in original disclosure. NVD status: Deferred.
Official resources
Disclosed to vendor April 2026; vendor acknowledged and reviewing as of disclosure date. CVE published 2026-05-24.