PatchSiren cyber security CVE debrief
CVE-2026-8980 Mennekes CVE debrief
CVE-2026-8980 documents a critical privilege escalation vulnerability in Mennekes Amtron series charging stations running firmware versions ≤ 5.22.3. An authenticated attacker with low-privilege access can escalate to administrative or manufacturer-level control by sending crafted POST requests to change passwords for the admin (operator) and manufacturer accounts. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no required privileges for initial access (though authentication is required for the vulnerable function), and high impact across confidentiality, integrity, and availability dimensions. The vulnerability was disclosed on 2026-05-28 and carries a CRITICAL severity rating with a CVSS score of 9.3. The weakness is classified under CWE-269 (Improper Privilege Management). No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Mennekes
- Product
- Amtron
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations operating electric vehicle charging infrastructure, particularly those deploying Mennekes Amtron series equipment in commercial, fleet, or public charging deployments. Critical infrastructure operators, facility managers, and cybersecurity teams responsible for OT/ICS security in energy and transportation sectors should prioritize assessment and remediation.
Technical summary
The Mennekes Amtron series charging stations contain an improper privilege management vulnerability (CWE-269) in firmware versions 5.22.3 and earlier. The device exposes password modification functionality that fails to enforce authorization boundaries between account privilege levels. An authenticated session with low-privilege credentials can submit POST requests to password change endpoints targeting higher-privilege accounts (admin/operator and manufacturer roles). This architectural flaw enables complete compromise of device administrative functions without requiring prior administrative access. The vulnerability is remotely exploitable over network-accessible management interfaces with low attack complexity, resulting in high impact across all security dimensions per CVSS 4.0 assessment.
Defensive priority
critical
Recommended defensive actions
- Identify all Mennekes Amtron series charging stations within infrastructure and verify firmware versions against the affected range (≤ 5.22.3)
- Restrict network access to charging station management interfaces to authorized administrative hosts only
- Implement strong authentication controls and monitor for anomalous password change activities on admin and manufacturer accounts
- Contact Mennekes for firmware update availability and apply patched versions when released
- Review access logs for indicators of unauthorized privilege escalation attempts
- Segment charging station management networks from operational technology and enterprise networks
- resourceLinkAnnotations:ref-4
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. CVSS 4.0 vector and CWE classification provided in NVD metadata. Vendor attribution to Mennekes derived from reference domain evidence (Cyberdanube security research). Firmware version constraint (≤ 5.22.3) explicitly stated in CVE description.
Official resources
-
CVE-2026-8980 CVE record
CVE.org
-
CVE-2026-8980 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28