HarborGuard / CVE
Back to search
CRITICALCVE-2026-9037Published Modified CNA icscert

CVE-2026-9037: Download of code without integrity check in XCharge C6

A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an unauthenticated remote code execution vulnerability caused by a missing integrity check in the firmware update mechanism of the XCharge C6 charging controller. An attacker who can intercept or impersonate the device's management channel over the network, without any credentials, can deliver a tampered firmware package that the device installs without signature verification. Successful exploitation gives the attacker full code execution with high privileges on the device. A patched-image rebuild at version May_22_2026 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-9037 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream ICS-CERT and NVD feeds, including custom-built images that package or depend on XCharge C6 firmware. Coverage extends to both registry scans and inline pipeline checks, so newly pushed images are evaluated before they reach production.

Available
Triage

HarborGuard scores this CVE at 9.3 Critical (CVSS v4.0) and surfaces it with corresponding priority weighting applied against each customer organization's compliance policy. Triage tickets are routed to the appropriate team inbox within each customer org based on the severity tier and any policy-defined escalation rules.

Available
Patch

A patched-image rebuild at version May_22_2026 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the device's management interface over the network in order to intercept or impersonate the firmware update channel.

  • AuthenticationNot required

    No credentials are needed; the firmware update mechanism accepts packages without authenticating the source.

  • Victim interactionNot required

    No user or operator action is required after the attacker delivers the malicious firmware package.

  • Attack complexityDetail

    The exploit is reliable and condition-free once network access to the management channel is established; no race conditions or special environmental factors apply.

Blast Radius

  • The attacker executes arbitrary code at high privilege on the XCharge C6 device, gaining full control of its runtime environment.
  • All data stored on or processed by the device, including configuration and session state, is readable by the attacker.
  • The attacker can modify persisted firmware, configuration, or charging-session records on the device.
  • The attacker can crash or permanently alter the charging controller, causing a service outage for connected charging sessions.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9037 is active as soon as an affected XCharge C6 image version appears in a customer registry or build pipeline, matched against the ICS-CERT advisory within minutes of publication. For environments running versions below May_22_2026, a rebuild against the fixed version is available. Where customers have auto-remediation enabled, HarborGuard performs the rebuild, executes regression tests, and opens a PR against the affected workloads; for high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Because this vulnerability sits in a firmware update path rather than a conventional application layer, customers should also consider compensating controls such as network-policy isolation of the management interface and egress filtering to restrict which endpoints the device can contact for firmware downloads, regardless of patch status.

See how HarborGuard automates this

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
May_22_2026
Affected Products
1

Fix available

May_22_2026
Affected packages
  • XCharge / C6
    < May_22_2026 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References