CVE-2026-22100

EVbee · DC-80

The EVbee DC-80 charging station is vulnerable to OS command injection via the OCPP `ReserveLogin` DataTransfer message.

Executive summary

The EVbee DC-80 charging station is susceptible to OS command injection, allowing authenticated attackers to execute arbitrary system commands.

Vulnerability

This vulnerability (CWE-78) occurs within the OCPP ReserveLogin DataTransfer message function. The application fails to properly neutralize special characters in the input, allowing a user with high privileges to inject and execute arbitrary OS commands on the device.

Business impact

The CVSS score of 8.6 underscores the severity of this command injection vulnerability. A successful exploit grants the attacker complete control over the underlying operating system of the charging station, which could lead to full system compromise, persistent backdoor installation, or the ability to manipulate charging behavior maliciously.

Remediation

Immediate Action: Update the EVbee DC-80 firmware to version 1.5.1 or later immediately to patch the command injection vulnerability.

Proactive Monitoring: Audit logs for any irregular activity or command execution attempts associated with the ReserveLogin message.

Compensating Controls: Restrict administrative access to the charging station management interface to trusted users and networks only, limiting the potential pool of attackers.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Firmware version 1.5.1 addresses the improper neutralization of input in the OCPP messages. All operators must apply this patch to eliminate the command injection vector and ensure the continued integrity and security of their charging infrastructure.