## Vulnerabilities in XCharge C6 Charging Stations Multiple vulnerabilities have been identified in **XCharge C6** charging stations, potentially impacting transportation systems worldwide. These vulnerabilities could allow attackers to gain unauthorized access and control over the charging stations. [View CSAF](https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-08.json) ### Affected Products * **XCharge** C6 charging stations, specifically versions prior to May 22, 2026. ### Vulnerability Details The vulnerabilities include: * **CVE-2026-9037**: Download of Code Without Integrity Check. This vulnerability exists in the firmware update mechanism. The charging controller fails to validate the authenticity of firmware packages, allowing an attacker to install unauthorized firmware and execute code with high privileges. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-9037) Relevant CWE: [CWE-494 Download of Code Without Integrity Check](https://cwe.mitre.org/data/definitions/494.html) * **CVE-2026-9038**: Stack-based Buffer Overflow. An attacker with physical access to the charging interface can exploit a buffer overflow vulnerability in the signal-processing logic. By supplying message fields that exceed expected bounds, memory corruption can occur, leading to unauthorized code execution with elevated privileges. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-9038) Relevant CWE: [CWE-121 Stack-based Buffer Overflow](https://cwe.mitre.org/data/definitions/121.html) * **CVE-2026-9039**: Initialization of a Resource with an Insecure Default. A configuration weakness in the remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector and accepts a default administrative credential, enabling a malicious device to gain full administrative access. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-9039) Relevant CWE: [CWE-1188 Initialization of a Resource with an Insecure Default](https://cwe.mitre.org/data/definitions/1188.html) ### Impact Successful exploitation of these vulnerabilities could allow an attacker to: * Gain administrator rights on the affected device. * Execute arbitrary code. * Install unauthorized firmware. * Obtain full administrative access. ### Recommended Mitigations **CISA** recommends the following mitigations to minimize the risk of exploitation: * Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet. * Locate control system networks and remote devices behind firewalls, isolating them from business networks. * When remote access is required, use secure methods such as Virtual Private Networks (**VPNs**), ensuring they are updated to the most current version. * Perform proper impact analysis and risk assessment prior to deploying defensive measures. * Implement recommended cybersecurity strategies for proactive defense of ICS assets. * Follow established internal procedures and report suspected malicious activity to **CISA**. * Do not click web links or open attachments in unsolicited email messages. ### Acknowledgements Lionel R. Saposnik of SaiFlow reported these vulnerabilities to **CISA**.