CVE-2026-22096

EVbee · DC-80

The EVbee DC-80 web server on port 8090 lacks authentication, permitting unauthorized sensitive data exposure and file uploads.

Executive summary

Critical authentication bypass in the EVbee DC-80 web server allows unauthenticated attackers to access sensitive configuration data and perform arbitrary file uploads.

Vulnerability

The web server component of this device fails to enforce any authentication for its management interface (CWE-306). This allows remote attackers to access configuration files containing passwords or upload malicious files to the device.

Business impact

This vulnerability provides an attacker with administrative-level access to the device. The potential for credential harvesting and the ability to upload files can lead to complete device takeover, which in industrial or charging infrastructure environments, could result in prolonged operational downtime and safety risks.

Remediation

Immediate Action: Update the EVbee DC-80 firmware to version 1.5.1 or later to address the authentication deficiency.

Proactive Monitoring: Monitor the device network traffic for any unexpected file transfers or unauthorized login attempts to the web management interface.

Compensating Controls: Place the management interface behind a VPN or firewall and restrict access to specific, trusted management workstations.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Given the ease of access and the potential for complete device compromise, immediate firmware updates are required. Organizations should ensure that management interfaces for infrastructure hardware like the DC-80 are never exposed to the public internet.