CVE-2026-9037
CRITICALDownload of code without integrity check in XCharge C6
Title source: cnaDescription
A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.
References (1)
Core 1
Core References
Government Resource government-resource
https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08
Scores
CVSS v4
9.3
EPSS
0.0022
EPSS Percentile
12.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-494
Status
published
Products (1)
XCharge/C6
< May_22_2026
Published
May 28, 2026
Tracked Since
May 29, 2026