Besen BS20 EV Charging Station BLE/WiFi authentication replay
Description
A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Besen BS20 EV Charging Station up to 20260426 has an authentication bypass via capture-replay in BLE/WiFi, allowing local network attackers to impersonate and control the device.
Vulnerability
The Besen BS20 EV Charging Station (firmware versions up to 20260426) exposes an authentication bypass via capture-replay on its BLE and WiFi interfaces [1]. The device does not implement replay protection, allowing an attacker to record valid authentication exchanges and reuse them to impersonate a legitimate user. The affected component is unspecified but involves both BLE and WiFi communication channels.
Exploitation
An attacker must be on the same local network as the charging station to capture the authentication handshake. The attack is described as highly complex, likely due to the need to synchronize with the short-lived authentication window and the requirement to capture traffic without triggering alarms. Once captured, the recorded packet can be replayed to bypass authentication without knowledge of the actual credentials.
Impact
Successful exploitation grants full unauthorized access to the charging station's control interface. An attacker can modify charging parameters, initiate or stop charging sessions, and potentially disrupt the EV charging service. The authentication bypass undermines all security controls that rely on proper user identification.
Mitigation
As of the publication date (2026-05-24), Besen has acknowledged the report and is reviewing the issue [1]. No official patch or firmware update has been released. Users should isolate the charging station on a separate, secure network segment and monitor the vendor's advisory channels for future fixes. The vulnerability affects all versions up to 20260426.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- vuldb.com/submit/813577mitrethird-party-advisory
- vuldb.com/vuln/365379mitrevdb-entry
- vuldb.com/vuln/365379/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.