CVE-2026-9039
Awaiting Analysis Awaiting Analysis - Queue
Remote Management Service Authentication Bypass in Electric Vehicle Charger

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: ICS-CERT

Description
A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-18
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9039
EUVD
EUVD-2026-33004
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, immediate steps should focus on addressing the configuration weakness in the remote management service.

  • Disable or restrict access to the remote management service over the vehicle-charger signaling communication channel.
  • Change or remove the default administrative credentials to strong, unique passwords.
  • Physically secure the charging interface to prevent unauthorized devices from connecting.
Executive Summary

This vulnerability is a configuration weakness in a device's remote management service. It allows an authenticated session to be established over a communication channel that is intended only for vehicle-charger signaling.

The remote management service is accessible through interfaces exposed by the charging connector and accepts a default administrative credential.

As a result, a malicious device physically connected to the charging interface could exploit this misconfiguration to gain full administrative access to the device.

Impact Analysis

This vulnerability can have a significant impact because it allows an attacker with physical access to the charging interface to gain full administrative control over the device.

With full administrative access, the attacker could potentially manipulate device settings, disrupt normal operations, or compromise the security and functionality of the device.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9039. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart