HarborGuard / CVE
Back to search
HIGHCVE-2026-9039Published Modified CNA icscert

CVE-2026-9039: Initialization of a resource with an insecure default in XCharge C6

A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An insecure default credential vulnerability in the XCharge C6 EV charger allows an attacker who physically connects a malicious device to the charging interface to authenticate to the remote management service using the factory default administrative credential. The service is reachable over the charging connector's communication channel rather than a standard network interface, requiring physical access to the hardware. Successful exploitation gives the attacker full administrative control over the device, including reads and writes to all configuration and operational data. A patched-image rebuild at version May_22_2026 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-9039 is available across every HarborGuard environment; the CVE is ingested from upstream feeds, including ICS-CERT advisories, within minutes of publication and matched against customer images in connected registries, pipelines, and custom-built images derived from affected XCharge C6 firmware bases.

Available
Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector from the upstream record, and triage capability includes per-environment compliance policy weighting to adjust priority based on whether affected images are deployed in OT or critical-infrastructure contexts, routing findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at version May_22_2026 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker requires physical proximity to the device; exploitation is carried out by connecting a malicious device directly to the charging connector interface, not over a remote network.

  • AuthenticationNot required

    No credential discovery is needed; the service accepts a publicly known factory default administrative credential, so no prior account access is required.

  • Victim interactionNot required

    No action from an operator or user of the charger is needed; the attacker completes the attack entirely through the physical hardware interface.

  • Attack complexityDetail

    Exploit conditions are reliable and free of environmental dependencies; no race conditions or special memory layout requirements are involved.

Blast Radius

  • Attacker reads all stored device configuration, operational parameters, and any credentials or session data held by the management service.
  • Attacker writes arbitrary configuration changes, including modifying charging behavior, disabling safety interlocks, or altering communication endpoints.
  • Attacker disrupts availability of the charging service, causing the unit to stop accepting or completing charge sessions.
  • The system impact scores are also High across confidentiality, integrity, and availability, meaning downstream systems that trust data or commands from the C6 are equally exposed to manipulation or denial.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-9039 is matched against images in customer registries and pipelines as soon as the advisory is ingested. For environments running an image derived from XCharge C6 firmware versions prior to May_22_2026, a rebuilt image at the patched version is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes regression tests, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues. For environments where auto-remediation is not enabled, the finding is routed to the appropriate team inbox with the CVSS v4.0 score and vector attached. Because this vulnerability requires physical connector access, customers should also consider physical access controls and connector port monitoring as compensating measures while any rollout of the patched firmware is in progress.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
May_22_2026
Affected Products
1

Fix available

May_22_2026
Affected packages
  • XCharge / C6
    < May_22_2026 (from 0)
CVSS Vector
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References