Critical Flaws in XCharge C6 EV Charging Controllers Allow Remote Code Execution
CISA warns of three vulnerabilities in XCharge C6 EV charging controllers, including a critical firmware integrity bypass (CVE-2026-9037, CVSS 9.8) that allows unauthenticated remote code execution.
CISA has published an advisory detailing three vulnerabilities in XCharge C6 electric vehicle charging controllers, with a combined CVSS score of 9.8 for the most critical flaw. The vulnerabilities—CVE-2026-9037, CVE-2026-9038, and CVE-2026-9039—affect all versions of the C6 controller prior to a firmware update deployed on May 22, 2026. Successful exploitation could allow an attacker to gain administrator rights or execute arbitrary code on the device, posing significant risks to transportation infrastructure worldwide.
The most severe vulnerability, CVE-2026-9037, is a firmware integrity-check bypass. The charging controller's firmware update mechanism fails to validate the authenticity of firmware packages delivered through the management interface. Because cryptographic signatures are not verified, an attacker who can interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This could lead to execution of unauthorized code with high privileges on the device, earning it a critical CVSS score of 9.8.
The second vulnerability, CVE-2026-9038, is a stack-based buffer overflow in the charging controller's signal-processing logic. An attacker with physical access to the charging interface can supply message fields that exceed expected bounds, causing memory corruption that may lead to execution of unauthorized code with elevated privileges. This flaw has a CVSS score of 7.6. The third vulnerability, CVE-2026-9039, involves exposure of default administrative credentials on the charging connector's management interface. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access, also rated at CVSS 7.6.
The affected product is the XCharge C6, deployed worldwide in the transportation systems sector. The company headquarters is located in the United States. XCharge has confirmed that an update has been deployed for all affected chargers. Users with questions can reach out to XCharge Support for further details. CISA recommends minimizing network exposure for all control system devices, ensuring they are not accessible from the internet, and locating control system networks behind firewalls isolated from business networks.
These vulnerabilities were reported to CISA by Lionel R. Saposnik of SaiFlow. As of the advisory's publication, no known public exploitation specifically targeting these vulnerabilities has been reported to CISA. However, given the critical nature of the flaws and the widespread deployment of EV charging infrastructure, the risk of future exploitation remains significant. The advisory underscores the growing importance of securing electric vehicle charging infrastructure as it becomes increasingly integrated into critical transportation networks.