XCharge C6

Plan PatchCVSS 9.8ICS-CERT ICSA-26-148-08May 28, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Critical vulnerabilities in XCharge C6 charging stations (firmware versions before May 22, 2026) allow unauthenticated remote attackers to gain administrator rights and execute arbitrary code. The vulnerabilities stem from improper input validation (CWE-494), buffer overflow conditions (CWE-121), and insecure data handling (CWE-1188). XCharge has deployed a firmware update to address these issues.

What this means

What could happen

An attacker could gain administrator rights on the charging station and execute arbitrary code, potentially disrupting EV charging operations, manipulating billing data, or accessing sensitive information.

Who's at risk

Electric utilities and fleet operators deploying XCharge C6 EV charging stations. This affects the availability and security of publicly accessible or fleet charging infrastructure, as well as billing and operational data.

How it could be exploited

An attacker with network access to the C6 charging station could exploit improper input validation or insecure code handling to upload or execute malicious code, gaining full control of the device without requiring authentication.

Prerequisites

Network access to the C6 charging station (likely Ethernet or connected network)
No authentication credentials required

Remotely exploitableNo authentication requiredLow complexityHigh CVSS score (9.8)Affects critical infrastructure charging systems

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

C6<May 22 2026No fix yet

Remediation & Mitigation

0/3

Do now

0/2

HOTFIXContact XCharge Support or check xcharge.com for confirmation that your C6 chargers have received the latest firmware update deployed as of May 22, 2026

WORKAROUNDIf firmware version cannot be confirmed, isolate C6 chargers from untrusted networks until updated

Long-term hardening

0/1

HARDENINGImplement network segmentation to restrict C6 charger access to authorized management systems only

CVEs (3)

CVE-2026-9037 CVE-2026-9038 CVE-2026-9039

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/151ad533-473c-4f81-8868-28280a961364

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.