CVE-2026-9395 Besen CVE debrief

Who should care

Owners and operators of Besen BS20 EV charging stations, facilities management securing EV infrastructure, OT security teams protecting charging networks, and organizations with Bring Your Own Charger (BYOC) policies

Technical summary

The Besen BS20 EV Charging Station transmits or stores credentials without adequate protection when handling BLE and UDP communications. An attacker with adjacent network access can intercept these credentials in cleartext. The vulnerability affects firmware versions through 20260426. Attack complexity is low, requiring no user interaction, but privileges are limited and impact is restricted to low confidentiality loss with no integrity or availability impact.

Defensive priority

low

Recommended defensive actions

• Segment EV charging station networks from critical infrastructure and user devices to contain potential credential exposure
• Monitor for unauthorized BLE scanning or UDP traffic targeting Besen BS20 devices on local networks
• Apply firmware updates from Besen when available; verify patch addresses credential protection in BLE/UDP handlers
• Review and rotate any credentials that may have been transmitted via affected devices
• Conduct network traffic analysis to detect cleartext credential transmission from charging stations

Evidence notes

Vulnerability disclosed via GitHub security research repository and indexed by VulDB. Vendor acknowledgment confirmed in disclosure. NVD status marked as 'Deferred' as of 2026-05-26.

Official resources