CVE-2026-9039

Vulnerability

The remote management service of XCharge C6 (versions prior to May 22, 2026) contains a configuration weakness that permits an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling [1]. The service is accessible on interfaces exposed through the charging connector and accepts a default administrative credential [1]. This allows an attacker with physical access to the charging interface to authenticate as an administrator.

Exploitation

An attacker must have physical access to the charging connector of an affected XCharge C6 device. By connecting a malicious charging device or a device that can communicate over the charging interface, the attacker can establish a session on the remote management service using the known default administrative credential [1]. No additional authentication bypass or user interaction is required.

Impact

Successful exploitation grants the attacker full administrative access to the XCharge C6 device. This can result in complete compromise of the device, including the ability to modify configuration, install unauthorized firmware, and disrupt charging operations [1]. The attacker gains high privileges on the device.

Mitigation

XCharge has released a firmware update on May 22, 2026 that addresses this vulnerability [1]. Users are advised to update affected XCharge C6 devices to the latest firmware version available after May 22, 2026. No workarounds are documented in the advisory; applying the patch is the recommended mitigation.