CVE-2026-9397

HIGH

Besen BS20 EV Charging Station OTA Update Installation improper authorization

Title source: cna

Description

A weakness has been identified in Besen BS20 EV Charging Station up to 20260426. Affected by this issue is some unknown functionality of the component OTA Update Installation Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."

References (4)

Core 4

Core References

Vdb Entry vdb-entry

VDB-365378 | Besen BS20 EV Charging Station OTA Update Installation improper authorization

https://vuldb.com/vuln/365378

Signature, Permissions Required signature permissions-required

VDB-365378 | CTI Indicators (IOB, IOC, TTP)

https://vuldb.com/vuln/365378/cti

Third Party Advisory third-party-advisory

Submit #813576 | Besen EV Charging Station BS20 EV Charger Embedded Malicious Code

https://vuldb.com/submit/813576

Patch patch

https://github.com/carfeii/besen#finding-4-unauthorized-firmware-installation-via-spoofed-ota-updates

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0056

EPSS Percentile 42.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-266 CWE-285

Status published

Products (1)

Besen/BS20 EV Charging Station 20260426

Published May 24, 2026

Tracked Since May 25, 2026