CVE-2026-22098
EVbee · DC-80
The EVbee DC-80 writes sensitive information, including passwords and charging card UIDs, to log files in plaintext, leading to potential credential exposure.
Executive summary
A critical information disclosure vulnerability in the EVbee DC-80 exposes sensitive credentials and user data within system log files.
Vulnerability
This is an improper validation of log file contents (CWE-532) issue. The application logs sensitive data, such as administrative passwords and charging card UIDs, in an unauthenticated, accessible format.
Business impact
The exposure of plaintext passwords and unique identifiers poses a significant risk of account takeover and unauthorized service usage. With a CVSS score of 9.2, this vulnerability could facilitate large-scale identity theft or unauthorized billing, leading to significant reputational and financial damage.
Remediation
Immediate Action: Update the EVbee DC-80 firmware to version 1.5.1 or later to sanitize log output.
Proactive Monitoring: Audit existing log files for exposed sensitive data and rotate any potentially compromised credentials immediately.
Compensating Controls: Implement strict file-system permissions to limit access to log directories and utilize log management systems to redact sensitive information in transit.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Addressing this vulnerability is essential for protecting user privacy and system security. Administrators must apply the provided firmware update and conduct a thorough audit of existing logs to ensure that compromised credentials are revoked and replaced.