Besen BS20 EV Charging Station OTA Update Installation improper authorization

Vulnerability

CVE-2026-9397 describes an improper authorization weakness in the Over-The-Air (OTA) update installation handler of Besen BS20 Home EV Charging Stations up to firmware version 20260426. The device fails to properly validate the authenticity or authorization of OTA firmware update requests, allowing a remote attacker to trigger installation of unsigned or malicious firmware. The affected functionality is triggered during the firmware update process, and the condition is reachable over the network without any prior authentication required for the update endpoint.

Exploitation

Exploitation requires a remote network position able to intercept or spoof OTA update traffic to the charging station. The attack has a high complexity — the exploit must craft a properly sequenced update payload that bypasses the incomplete validation logic. No user interaction or local privileges are needed beyond network access. The attacker can spoof a legitimate OTA update server or inject a malicious update packet into the device's communication channel.

Impact

Successful exploitation allows an attacker to install arbitrary firmware onto the BS20 charging station, gaining full control over the device. This can lead to disruption of charging operations, extraction of configuration data, or use of the device as a pivot point into the local network. The impact is high in terms of integrity and availability, with potential for secondary compromise of connected systems.

Mitigation

As of the publication date (2026-05-24), Besen has acknowledged the report and stated they are reviewing the issue as of April 2026 [1]. No official patch or firmware update has been released. Users are advised to monitor the vendor's security advisories and restrict network access to the charging station until a fix is available. No workaround has been published. The vulnerability is not listed on CISA KEV as of this writing.