---
title: "Critical Flaws in XCharge C6 EV Chargers Allow Admin Takeover"
short_title: "XCharge C6 EV chargers vulnerable to admin takeover"
description: "Three critical vulnerabilities in XCharge C6 EV chargers enable attackers to gain admin rights or execute code. Learn about risks, mitigations, and patches."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [ev chargers, cve-2026-9037, cve-2026-9038, cve-2026-9039, cybersecurity, critical]
score: 0.85
cve_ids: [CVE-2026-9037, CVE-2026-9038, CVE-2026-9039]
---
## TL;DR
Three critical vulnerabilities in XCharge C6 EV chargers could allow attackers to gain administrator rights or execute unauthorized code on affected devices. These flaws, including a lack of firmware integrity checks and stack-based buffer overflows, pose severe risks to transportation systems worldwide. XCharge has released patches—users must update immediately to mitigate threats.
Main Content
### Introduction
Electric vehicle (EV) charging infrastructure is expanding rapidly, but so are the cybersecurity risks associated with it. XCharge C6, a widely deployed EV charging controller, has been found vulnerable to three critical security flaws that could enable attackers to take full control of affected devices. These vulnerabilities, tracked as CVE-2026-9037, CVE-2026-9038, and CVE-2026-9039, expose transportation systems to potential disruptions, data breaches, and unauthorized access.
### Key Points
- Three critical vulnerabilities affect XCharge C6 EV chargers, enabling admin rights takeover or code execution.
- CVE-2026-9037 involves downloading firmware without integrity checks, allowing attackers to install malicious firmware.
- CVE-2026-9038 is a stack-based buffer overflow vulnerability exploitable via physical access to the charging interface.
- CVE-2026-9039 stems from insecure default credentials, granting admin access to malicious devices connected to the charger.
- XCharge has deployed patches for all affected devices—users must update immediately.
- No known public exploitation has been reported yet, but the risks are severe.
Technical Details
#### 1. CVE-2026-9037: Download of Code Without Integrity Check
- Severity: Critical (CVSS 9.8)
- Description: The firmware update mechanism in XCharge C6 fails to validate the authenticity of firmware packages. Attackers with access to the management interface can impersonate the update channel and install malicious firmware, leading to unauthorized code execution with high privileges.
- Attack Vector: Remote or local network access to the management interface.
- Relevant CWE: CWE-494: Download of Code Without Integrity Check
#### 2. CVE-2026-9038: Stack-Based Buffer Overflow
- Severity: High (CVSS 7.6)
- Description: A stack-based buffer overflow vulnerability exists in the charging controller's signal-processing logic. Attackers with physical access to the charging interface can send maliciously crafted message fields that exceed expected bounds, leading to memory corruption and unauthorized code execution.
- Attack Vector: Physical access to the charging interface.
- Relevant CWE: CWE-121: Stack-Based Buffer Overflow
#### 3. CVE-2026-9039: Insecure Default Configuration
- Severity: High (CVSS 7.6)
- Description: The remote management service of the XCharge C6 uses default administrative credentials and is accessible via the charging connector. Attackers can exploit this misconfiguration to gain full administrative access to the device.
- Attack Vector: Physical connection to the charging interface.
- Relevant CWE: CWE-1188: Initialization of a Resource with an Insecure Default
### Impact Assessment
The vulnerabilities in XCharge C6 EV chargers pose significant risks to transportation systems and critical infrastructure worldwide. Successful exploitation could lead to:
- Unauthorized administrative access to EV charging networks.
- Disruption of charging services, impacting fleets, public charging stations, and private users.
- Data breaches or manipulation of charging sessions, leading to financial losses or safety hazards.
- Lateral movement within networks, potentially compromising connected systems.
Given the global deployment of XCharge C6 chargers, the potential impact is widespread and severe.
### Mitigation Steps
XCharge has deployed patches for all affected devices. Users are urged to:
1. Update immediately to the latest firmware version (post-May 22, 2026).
2. Contact XCharge Support for assistance: https://www.xcharge.com/contact.
3. Isolate charging networks from business networks using firewalls.
4. Restrict physical access to charging interfaces to prevent exploitation of CVE-2026-9038 and CVE-2026-9039.
5. Monitor for suspicious activity and report incidents to CISA.
### Affected Systems
- Product: XCharge C6 EV Charging Controller
- Versions: All versions released before May 22, 2026
- Critical Infrastructure Sector: Transportation Systems
- Deployment: Worldwide
## Conclusion
The discovery of three critical vulnerabilities in XCharge C6 EV chargers highlights the growing cybersecurity risks in the EV charging ecosystem. While XCharge has taken swift action to patch the flaws, users must act immediately to update their devices and implement recommended security measures. Failure to do so could expose transportation systems to severe disruptions, unauthorized access, and potential safety hazards.
For more details, refer to the CISA advisory and stay vigilant against emerging threats in critical infrastructure.
## References
[^1]: CISA. "ICSA-26-148-08: XCharge C6 Vulnerabilities". Retrieved 2024-10-02.
[^2]: MITRE. "CWE-494: Download of Code Without Integrity Check". Retrieved 2024-10-02.
[^3]: MITRE. "CWE-121: Stack-Based Buffer Overflow". Retrieved 2024-10-02.
[^4]: MITRE. "CWE-1188: Initialization of a Resource with an Insecure Default". Retrieved 2024-10-02.
[^5]: XCharge. "Support and Contact". Retrieved 2024-10-02.