CVE-2026-9037 PUBLISHED

Download of code without integrity check in XCharge C6

Assigner: icscert
Reserved: 19.05.2026 Published: 28.05.2026 Updated: 28.05.2026

A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	XCharge
Product	C6
Versions	Default: unaffected affected from 0 to May_22_2026 (excl.)

Solutions

XCharge has confirmed that the update has been deployed for all affected chargers. Users with questions can reach out to XCharge Support for further details if needed. https://www.xcharge.com/contact

Credits

Lionel R. Saposnik of SaiFlow reported these vulnerabilities to CISA. finder

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08

Problem Types

CWE-494 Download of code without integrity check CWE