CVE-2026-22098

EVbee · DC-80

The EVbee DC-80 writes sensitive information, including passwords and charging card UIDs, to log files in plaintext, leading to potential credential exposure.

Executive summary

A critical information disclosure vulnerability in the EVbee DC-80 exposes sensitive credentials and user data within system log files.

Vulnerability

This is an improper validation of log file contents (CWE-532) issue. The application logs sensitive data, such as administrative passwords and charging card UIDs, in an unauthenticated, accessible format.

Business impact

The exposure of plaintext passwords and unique identifiers poses a significant risk of account takeover and unauthorized service usage. With a CVSS score of 9.2, this vulnerability could facilitate large-scale identity theft or unauthorized billing, leading to significant reputational and financial damage.

Remediation

Immediate Action: Update the EVbee DC-80 firmware to version 1.5.1 or later to sanitize log output.

Proactive Monitoring: Audit existing log files for exposed sensitive data and rotate any potentially compromised credentials immediately.

Compensating Controls: Implement strict file-system permissions to limit access to log directories and utilize log management systems to redact sensitive information in transit.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Addressing this vulnerability is essential for protecting user privacy and system security. Administrators must apply the provided firmware update and conduct a thorough audit of existing logs to ensure that compromised credentials are revoked and replaced.