CVE-2026-22099

EVbee · DC-80

The EVbee DC-80 charging station lacks authentication for Bluetooth commands, allowing unauthorized parties to execute commands.

Executive summary

The EVbee DC-80 charging station is vulnerable to unauthorized command execution via Bluetooth due to improper authentication, posing a high risk of remote manipulation.

Vulnerability

This vulnerability (CWE-287) exists because the device fails to perform any authentication checks for commands sent over Bluetooth. An unauthenticated attacker within proximity can send arbitrary commands to the charging station.

Business impact

Successful exploitation allows an attacker to gain full control over the charging station's operations. Given the CVSS score of 8.7, this represents a high-severity risk that could lead to physical damage to the charging hardware, service disruption, or unauthorized use of the charging infrastructure, resulting in financial loss and operational downtime.

Remediation

Immediate Action: Update the EVbee DC-80 firmware to version 1.5.4 or later immediately.

Proactive Monitoring: Monitor Bluetooth access logs for unusual or unauthorized pairing and command execution attempts.

Compensating Controls: If firmware updates cannot be applied immediately, restrict physical access to the device or disable Bluetooth interfaces if they are not required for operation.

Exploitation status

Public Exploit Available: No

Analyst recommendation

The severity of this vulnerability necessitates immediate action, particularly for units deployed in public or accessible locations. Administrators must prioritize the firmware update to version 1.5.4 to enforce necessary authentication controls and prevent unauthorized command execution.