CVE-2026-9397 Besen CVE debrief

Who should care

Organizations operating Besen BS20 EV Charging Stations, critical infrastructure operators with EV charging deployments, IoT/OT security teams, and facilities management responsible for EV charging infrastructure security.

Technical summary

The Besen BS20 EV Charging Station's OTA Update Installation Handler fails to properly validate authorization for firmware installation operations. A remote attacker with sufficient technical capability could potentially bypass authorization checks to install malicious or unauthorized firmware, resulting in complete compromise of confidentiality, integrity, and availability of the charging station. The attack complexity is high due to required conditions, and exploitation is considered difficult. The vulnerability affects all firmware versions up to and including 20260426.

Defensive priority

HIGH

Recommended defensive actions

• Verify Besen BS20 EV Charging Station firmware version and ensure updates beyond 20260426 are installed when available
• Implement network segmentation to restrict EV charging station management interfaces from untrusted networks
• Monitor for unauthorized OTA update attempts through network traffic analysis and device integrity checks
• Contact Besen for official security advisory and patch timeline
• Review and strengthen OTA update signing and verification mechanisms for IoT/OT device deployments

Evidence notes

CVSS 4.0 vector: AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P. CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization) identified. VulnStatus: Deferred in NVD.

Official resources