CVE-2026-9039
Remote Management Service Authentication Bypass in Electric Vehicle Charger
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a configuration weakness in a device's remote management service. It allows an authenticated session to be established over a communication channel that is intended only for vehicle-charger signaling.
The remote management service is accessible through interfaces exposed by the charging connector and accepts a default administrative credential.
As a result, a malicious device physically connected to the charging interface could exploit this misconfiguration to gain full administrative access to the device.
How can this vulnerability impact me? :
This vulnerability can have a significant impact because it allows an attacker with physical access to the charging interface to gain full administrative control over the device.
With full administrative access, the attacker could potentially manipulate device settings, disrupt normal operations, or compromise the security and functionality of the device.