CVE-2026-22096
EVbee · DC-80
The EVbee DC-80 web server on port 8090 lacks authentication, permitting unauthorized sensitive data exposure and file uploads.
Executive summary
Critical authentication bypass in the EVbee DC-80 web server allows unauthenticated attackers to access sensitive configuration data and perform arbitrary file uploads.
Vulnerability
The web server component of this device fails to enforce any authentication for its management interface (CWE-306). This allows remote attackers to access configuration files containing passwords or upload malicious files to the device.
Business impact
This vulnerability provides an attacker with administrative-level access to the device. The potential for credential harvesting and the ability to upload files can lead to complete device takeover, which in industrial or charging infrastructure environments, could result in prolonged operational downtime and safety risks.
Remediation
Immediate Action: Update the EVbee DC-80 firmware to version 1.5.1 or later to address the authentication deficiency.
Proactive Monitoring: Monitor the device network traffic for any unexpected file transfers or unauthorized login attempts to the web management interface.
Compensating Controls: Place the management interface behind a VPN or firewall and restrict access to specific, trusted management workstations.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Given the ease of access and the potential for complete device compromise, immediate firmware updates are required. Organizations should ensure that management interfaces for infrastructure hardware like the DC-80 are never exposed to the public internet.