CVE-2026-9039 XCharge CVE debrief

Who should care

EV charging station operators, critical infrastructure security teams, automotive OEM security programs, industrial control system (ICS) asset owners, and organizations managing electric fleet charging infrastructure.

Technical summary

The vulnerability stems from insecure default initialization (CWE-1188) where a remote management service accepts default administrative credentials over a communication channel designed exclusively for vehicle-charger signaling. The attack requires physical proximity (AV:P) to connect a malicious device to the charging connector interface. Successful exploitation grants complete administrative control (VC:H/VI:H/VA:H) with potential for supply chain and safety impacts (SC:H/SI:H/SA:H). The CVSS 4.0 score of 8.6 reflects severe impact despite physical access requirements.

Defensive priority

HIGH

Recommended defensive actions

• Physically secure charging connectors and interfaces to prevent unauthorized device attachment
• Change default administrative credentials immediately; enforce strong, unique passwords for all management accounts
• Disable or restrict remote management services on charging interfaces not intended for administrative access
• Implement network segmentation to isolate charging communication channels from management plane
• Review and harden device initialization configurations to prevent insecure defaults (CWE-1188)
• Monitor for anomalous authentication attempts on charging interface ports
• Apply vendor firmware updates when available per CISA ICS-CERT guidance

Evidence notes

CVE published 2026-05-28. CISA ICS-CERT advisory ICSA-26-148-08 referenced as primary source. CVSS 4.0 vector indicates physical attack vector (AV:P) with high impacts across confidentiality, integrity, and availability. CWE-1188 (Insecure Default Initialization of Resource) identified as root cause classification.

Official resources