CVE-2026-9037
Firmware Signature Bypass in Charging Controller
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-494 | The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the firmware update mechanism of a charging controller device. The mechanism does not validate the authenticity of firmware packages received through the device's management interface. Specifically, it fails to verify cryptographic signatures on the firmware packages.
As a result, an attacker who can interfere with or impersonate the management channel could cause the device to install unauthorized firmware. This unauthorized firmware could execute code with high privileges on the device.
How can this vulnerability impact me? :
The impact of this vulnerability is significant because it allows an attacker to execute unauthorized code with high privileges on the affected device. This could lead to complete compromise of the device, potentially allowing the attacker to control its functions, disrupt its operation, or use it as a foothold for further attacks within a network.