How is CVE-2026-8979 exploited?

Network reachability (required): The attacker must reach the device's HTTP service over the network; the vulnerable endpoint is exposed remotely with no requirement for LAN or physical proximity. Authentication (not-required): No credentials of any kind are needed; the crafted POST request can be sent by a completely unauthenticated attacker. Victim interaction (not-required): The attack is fully automated and requires no action from any user or operator of the device. Attack complexity (info): Exploit conditions are straightforward and reliable, requiring no race conditions, special memory layout, or environmental setup beyond network access to the endpoint.

What is the impact of CVE-2026-8979?

The attacker overwrites the user account password, locking out the legitimate operator and taking sole control of the device account. With account control, the attacker can reconfigure charging behavior, disable the charging station, or enable unauthorized charging sessions. System and supporting-infrastructure confidentiality is fully compromised: the attacker reads stored credentials, session data, and device configuration. Downstream systems connected to the same network segment are exposed to lateral movement from a now-attacker-controlled device.

Back to search

CRITICALCVE-2026-8979Published 2026-05-28Modified 2026-05-28CNA CyberDanube

CVE-2026-8979: Authentication Bypass

The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authentication bypass vulnerability affects the Mennekes Amtron series of EV charging station controllers running firmware version 5.22.3 and earlier. The flaw is reachable over the network with no authentication required, allowing an attacker to send a crafted POST request to the /operator/operator endpoint and change the password of the user account. Successful exploitation gives the attacker full control over the device account, enabling unauthorized configuration changes, service disruption, and lateral access to connected systems. No fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-8979 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Mennekes Amtron firmware or dependent components.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 9.3 (Critical) and weighting findings against each environment's compliance policy to route alerts to the appropriate team inbox within the customer org.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Mennekes releases a remediated firmware version. In the interim, the CVE remains flagged as unresolved in all affected image scans.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's HTTP service over the network; the vulnerable endpoint is exposed remotely with no requirement for LAN or physical proximity.
AuthenticationNot required
No credentials of any kind are needed; the crafted POST request can be sent by a completely unauthenticated attacker.
Victim interactionNot required
The attack is fully automated and requires no action from any user or operator of the device.
Attack complexityDetail
Exploit conditions are straightforward and reliable, requiring no race conditions, special memory layout, or environmental setup beyond network access to the endpoint.

Blast Radius

The attacker overwrites the user account password, locking out the legitimate operator and taking sole control of the device account.
With account control, the attacker can reconfigure charging behavior, disable the charging station, or enable unauthorized charging sessions.
System and supporting-infrastructure confidentiality is fully compromised: the attacker reads stored credentials, session data, and device configuration.
Downstream systems connected to the same network segment are exposed to lateral movement from a now-attacker-controlled device.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-8979 is active across all scanning pipelines, and the CVE is flagged at Critical (CVSS 9.3) in any image found to contain an affected Mennekes Amtron firmware component at version 5.22.3 or earlier. Because no upstream patch exists, HarborGuard cannot yet offer an automated rebuild-and-PR flow; however, the advisory is re-evaluated on every ingest cycle so a patched rebuild becomes available automatically the moment Mennekes publishes a fix. While awaiting a fix, customers can use HarborGuard policy controls to apply compensating controls: network-policy isolation rules to restrict inbound access to the /operator/operator endpoint, egress filtering to limit the device's outbound reach, and escalation alerts to ensure any image shipping this component is flagged for manual review before deployment.

See how HarborGuard automates this

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Mennekes / Amtron
≤ 5.22.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

References

cyberdanube.com