CVE-2026-9039 PUBLISHED

Initialization of a resource with an insecure default in XCharge C6

Assigner: icscert
Reserved: 19.05.2026 Published: 28.05.2026 Updated: 28.05.2026

A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 8.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Physical	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	XCharge
Product	C6
Versions	Default: unaffected affected from 0 to May_22_2026 (excl.)

Solutions

XCharge has confirmed that the update has been deployed for all affected chargers. Users with questions can reach out to XCharge Support for further details if needed. https://www.xcharge.com/contact

Credits

Lionel R. Saposnik of SaiFlow reported these vulnerabilities to CISA. finder

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08

Problem Types

CWE-1188 Initialization of a resource with an insecure default CWE