CISA has disclosed three high-severity vulnerabilities in the XCharge C6 electric vehicle charging controller, affecting firmware versions prior to May 22, 2026. The flaws include a firmware integrity check bypass (CVE-2026-9037, CVSS 9.8), a stack-based buffer overflow in signal processing (CVE-2026-9038, CVSS 9.8), and an insecure default credential in the remote management service (CVE-2026-9039, CVSS 9.8). Successful exploitation could allow attackers to gain administrative control or execute arbitrary code with elevated privileges. The vulnerabilities were reported by Lionel R. Saposnik of SaiFlow to CISA. The XCharge C6 is deployed worldwide in the transportation sector. The firmware integrity check issue allows remote code injection via the management interface. The buffer overflow requires physical access to the charging connector, and the default credential issue enables administrative access via the same physical interface. CISA recommends minimizing network exposure, using VPNs for remote access, and following ICS security best practices. No public exploitation has been reported to date. Users are advised to update to the latest firmware and apply defensive measures as outlined in the CISA advisory.

Key facts

• Three critical CVSS 9.8 vulnerabilities in XCharge C6 charging controller.
• CVE-2026-9037: Firmware download without integrity check.
• CVE-2026-9038: Stack-based buffer overflow in signal processing.
• CVE-2026-9039: Insecure default credential in remote management service.
• No public exploitation reported; update firmware and restrict network access.

KeyAudit data perspective