How is CVE-2026-8980 exploited?

Network reachability (required): The attacker must reach the Amtron firmware's HTTP interface over the network; local or physical access is not required. Authentication (required): A low-privilege account is sufficient; the attacker does not need admin credentials, only any valid user session on the device. Victim interaction (not-required): No victim action is needed; the attacker sends crafted POST requests directly without any social-engineering step. Attack complexity (info): Attack complexity is low, meaning the exploit is straightforward and reliable with no race conditions or special environmental factors required.

What is the impact of CVE-2026-8980?

Attacker overwrites the admin (operator) account password, locking out the legitimate administrator and taking full control of the device. Attacker overwrites the manufacturer account password, gaining the highest privilege tier and access to all configuration and diagnostic functions. With admin control, the attacker reads stored charging session data, network credentials, and device configuration from the station. The attacker can alter charging behavior or disable the station entirely, disrupting EV charging service for end users.

Back to search

CRITICALCVE-2026-8980Published 2026-05-28Modified 2026-05-28CNA CyberDanube

CVE-2026-8980: Privilege Escalation

The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin (operator) and manufacturer accounts via crafted POST requests.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A privilege escalation vulnerability affects the Mennekes Amtron series of EV charging station firmware at versions 5.22.3 and earlier. The flaw is reachable over the network and requires only a low-privilege authenticated session, meaning any registered user can send crafted HTTP POST requests to overwrite the passwords of administrator and manufacturer accounts. Successful exploitation gives the attacker full administrative control over the charging station, including the ability to read sensitive configuration data, tamper with charging session records, and disrupt station operation. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-8980 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built firmware images derived from the Mennekes Amtron base. Any image at firmware version 5.22.3 or earlier is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 9.3 (Critical) and weighting the result against each environment's compliance policy to determine urgency and routing. Triage alerts are directed to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated firmware version is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Amtron firmware's HTTP interface over the network; local or physical access is not required.
AuthenticationRequired
A low-privilege account is sufficient; the attacker does not need admin credentials, only any valid user session on the device.
Victim interactionNot required
No victim action is needed; the attacker sends crafted POST requests directly without any social-engineering step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is straightforward and reliable with no race conditions or special environmental factors required.

Blast Radius

Attacker overwrites the admin (operator) account password, locking out the legitimate administrator and taking full control of the device.
Attacker overwrites the manufacturer account password, gaining the highest privilege tier and access to all configuration and diagnostic functions.
With admin control, the attacker reads stored charging session data, network credentials, and device configuration from the station.
The attacker can alter charging behavior or disable the station entirely, disrupting EV charging service for end users.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-8980 is active across all environments scanning images based on Mennekes Amtron firmware 5.22.3 or earlier, with matches surfaced within minutes of CVE publication. Because no upstream fix has been released, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available as soon as a remediated firmware version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy isolation to restrict access to the Amtron management interface to trusted internal subnets only, egress filtering to prevent lateral movement from a compromised station, and review of all existing low-privilege accounts to minimize the pool of credentials that could be used to trigger this escalation path.

See how HarborGuard automates this

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Mennekes / Amtron
≤ 5.22.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

References

cyberdanube.com