CVE-2026-9037 XCharge CVE debrief

Who should care

Organizations operating electric vehicle charging infrastructure, critical infrastructure security teams, industrial control system administrators, and asset owners of affected charging controllers

Technical summary

The affected charging controller implements a firmware update mechanism that accepts packages through its management interface without verifying cryptographic signatures. The absence of integrity validation allows an attacker positioned to interfere with or impersonate the management channel to supply malicious firmware. The device installs the unauthorized package, resulting in execution of attacker-controlled code with elevated privileges. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) reflects network accessibility, low attack complexity, and high impacts across security properties.

Defensive priority

critical

Recommended defensive actions

• Restrict network access to device management interfaces to authorized administrative hosts only
• Implement network segmentation to isolate charging controller management traffic from untrusted networks
• Verify firmware package authenticity through out-of-band channels before installation
• Monitor for unexpected firmware update events or unauthorized management connections
• Contact device manufacturer for patch availability and signed firmware update procedures
• Review device logs for indicators of unauthorized firmware installation attempts

Evidence notes

Vulnerability description sourced from NVD record published 2026-05-28. CVSS 4.0 vector indicates network attack vector with no required privileges or user interaction, resulting in high impact to confidentiality, integrity, and availability. CISA ICS-CERT advisory ICSA-26-148-08 referenced as primary source. Weakness classified as CWE-494 (Download of Code Without Integrity Check).

Official resources