XCharge C6

Published:

28 mei 2026 om 12:00:00

Alert date:

28 mei 2026 om 17:06:19

Source:

cisa.gov

Mobile & IoT, Critical Infrastructure

CISA published an advisory for multiple critical vulnerabilities in XCharge C6 electric vehicle charging controllers. The vulnerabilities include a firmware update mechanism that fails to validate authenticity (CVE-2026-9037, CVSS 9.8), a stack-based buffer overflow in signal processing (CVE-2026-9038, CVSS 7.6), and insecure default credentials in the remote management service (CVE-2026-9039, CVSS 7.6). Successful exploitation could allow attackers to gain administrator rights or execute code on affected devices. The vulnerabilities affect XCharge C6 chargers deployed worldwide in transportation systems critical infrastructure. XCharge has confirmed updates have been deployed for all affected chargers.

Technical details

Mitigation steps:

Affected products:

XCharge C6

Related links:

https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-08.json
https://www.cve.org/CVERecord?id=CVE-2026-9037
https://www.cve.org/CVERecord?id=CVE-2026-9038
https://www.cve.org/CVERecord?id=CVE-2026-9039
https://www.xcharge.com/contact
https://cwe.mitre.org/data/definitions/494.html
https://cwe.mitre.org/data/definitions/121.html
https://cwe.mitre.org/data/definitions/1188.html
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Related CVE's:

CVE-2026-9037

CVE-2026-9038

CVE-2026-9039

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.