Besen BS20 EV Charging Station BLE/UDP insufficiently protected credentials

Vulnerability

Cleartext credential exposure exists in the Besen BS20 EV Charging Station up to firmware version 20260426. An unknown function in the BLE and UDP components transmits user credentials in plaintext. During operations such as a password change, both the old and new passwords are sent unencrypted. The same credentials are also broadcast periodically via UDP. This affects the BS20 charger and potentially other OEM-branded units (e.g., IEVISION, LECTRON). [1]

Exploitation

An attacker must be on the same local network as the charging station to capture the plaintext credentials from UDP broadcasts. For BLE exposure, the attacker needs BLE proximity (typically within 10–30 meters). No authentication or prior access is required. The attacker simply monitors network traffic or BLE advertisements to recover the credentials. [1]

Impact

Successful credential capture leads to unauthorized access and full control of the charging station. The attacker can then change settings, initiate charging sessions, or potentially pivot to other devices on the home network. The compromise affects the confidentiality of user credentials and the integrity of device control. [1]

Mitigation

As of April 2026, the vendor Besen has acknowledged the report and is reviewing the issue. No patched firmware version or specific workaround has been released. Users should monitor the vendor's support channels for updates and, if possible, isolate the charger on a separate VLAN to limit exposure on the local network. [1]