Besen BS20 EV Charging Station Bluetooth Low Energy weak password

Vulnerability

CVE-2026-9394 affects the Besen BS20 Home EV Charging Station (and potentially OEM brands IEVISION, LECTRON, MORECEVSE, PRIMECOM, XUNDAO, MOREC, OCULAR) up to firmware version 20260426. The Bluetooth Low Energy (BLE) component implements a weak authentication mechanism: the device ships with a shared default (common) password and enforces a fixed 6-digit numeric password format, limiting the keyspace to only 1,000,000 possible combinations. This design significantly reduces resistance to brute-force attacks [1].

Exploitation

An attacker positioned within the local network can capture the BLE authentication handshake by passively sniffing traffic. The attacker then performs an offline brute-force cracking attack against the captured handshake, recovering the password without requiring further interaction with the device. The attack is characterized by high complexity and is described by the vendor as difficult to exploit [1].

Impact

Successful exploitation allows an attacker to gain unauthorized access to the charging station. With access, the attacker can control the device (e.g., start/stop charging sessions, modify settings). The impact centers on unauthorized control, potentially leading to operational disruption or misuse of the charging station. The disclosure also notes that related findings (CVE-2026-9395) expose cleartext passwords over UDP and BLE, which could further aid exploitation [1].

Mitigation

As of the original disclosure in April 2026, the vendor Besen acknowledged the report and stated they are reviewing these vulnerabilities. No fixed firmware version or workaround has been published at the time of the CVE publication (2026-05-24). Users should monitor vendor updates and restrict local network access to the device until a patch is available [1].