CVE-2026-22097
EVbee · DC-80
The EVbee DC-80 firmware update mechanism lacks cryptographic signature validation, allowing unauthenticated remote attackers to execute arbitrary code via malicious firmware uploads.
Executive summary
A critical vulnerability in the EVbee DC-80 firmware update process allows for remote code execution due to a lack of cryptographic signature verification.
Vulnerability
This is an improper check for cryptographic signature (CWE-347) vulnerability. The device fails to validate the integrity of firmware updates, permitting an unauthenticated attacker to inject and execute arbitrary code.
Business impact
Successful exploitation grants an attacker full control over the device, potentially leading to total system compromise. Given the CVSS score of 9.3, the impact is severe, as it could result in unauthorized power grid interaction, data theft, or permanent denial-of-service for EV charging infrastructure.
Remediation
Immediate Action: Update the EVbee DC-80 firmware to version 1.5.1 or later immediately.
Proactive Monitoring: Review device access logs for unauthorized firmware update requests or unusual file upload activity.
Compensating Controls: Restrict network access to the device management interface to trusted administrative subnets via firewall rules.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This is a critical security flaw that requires immediate attention. Organizations utilizing EVbee DC-80 hardware must prioritize the transition to firmware version 1.5.1 to prevent potential remote command execution and maintain the integrity of their charging network.