CVE-2026-9396 Besen CVE debrief

Who should care

Operators of Besen BS20 EV charging infrastructure, critical infrastructure security teams, IoT/OT security practitioners, electric vehicle fleet managers, and organizations with public or workplace charging deployments

Technical summary

The Besen BS20 EV Charging Station contains an improper restriction of rendered UI layers vulnerability (CWE-1021) in its Firmware Version Check component. An attacker with network access can manipulate firmware version verification to spoof UI elements, potentially misleading users or administrators about device state. The attack requires high complexity to execute and results in low integrity impact per CVSS 4.0 scoring. The vulnerability affects devices running firmware up to version 20260426. Remote exploitation is possible without authentication, though the difficult exploitation path reduces immediate risk. The researcher disclosed findings to Besen with vendor acknowledgment of active review as of April 2026; no patch availability timeline has been published.

Defensive priority

low

Recommended defensive actions

• Monitor Besen security advisories for firmware updates addressing the BS20 EV Charging Station
• Review EV charging station UI authentication and firmware verification implementations for improper layer restriction weaknesses
• Implement network segmentation for EV charging infrastructure to limit remote attack exposure
• Verify firmware integrity through out-of-band validation mechanisms independent of device-reported version strings
• Contact Besen support to confirm remediation timeline and obtain patched firmware when available

Evidence notes

Vulnerability disclosed via VulDB with reference to GitHub research repository. Vendor acknowledgment documented in disclosure. NVD status marked as Deferred as of 2026-05-26. CVSS 4.0 vector indicates network attack vector with high attack complexity, no privileges required, and low integrity impact to the vulnerable system.

Official resources