Download of code without integrity check in XCharge C6

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.

AI Analysis

Firmware update mechanism fails to validate authenticity of firmware packages, allowing execution of unauthorized code with high privileges

Basic Information

ID CVE-2026-9037

Source icscert

Published May 28, 2026 at 19:04

Affected Product

Vendor XCharge

Product C6

Affected Versions XCharge C6 0

CWE Classification

CWE-494

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor XCharge

Product XCharge C6

References

www.cisa.gov /news-events/ics-advisories/icsa-26-148-08

{
    "lastseen": "",
    "description": "A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.",
    "published": "2026-05-28T19:04:14.794Z",
    "modified": "2026-05-28T19:04:14.794Z",
    "type": "cve",
    "title": "Download of code without integrity check in XCharge C6",
    "source": "icscert",
    "references": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08",
    "id": "CVE-2026-9037",
    "bulletinFamily": "",
    "cwe": [
        "CWE-494"
    ],
    "cvelist": null,
    "sourceData": "XCharge C6 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "C6",
    "version": "0",
    "vendor": "XCharge",
    "ai_description": "Firmware update mechanism fails to validate authenticity of firmware packages, allowing execution of unauthorized code with high privileges",
    "ai_severity": "Critical",
    "ai_vendor": "XCharge",
    "ai_product": "XCharge C6",
    "ai_version": "0",
    "ai_score": 9.3
}

Download of code without integrity check in XCharge C6_CVE-2026-9037