CISA flags three critical flaws in XCharge C6 EV charging controllers

Three separate attack paths, one product line, and an answer from the vendor that raises more questions than it resolves.

CISA's advisory covers XCharge C6 charging controllers deployed worldwide in transportation infrastructure. The highest-severity finding, CVE-2026-9037 (CVSS 9.8), sits in the firmware update mechanism: the device does not verify cryptographic signatures on firmware packages delivered through its management interface. An attacker who can intercept or spoof that management channel can push arbitrary firmware with full device privileges, no authentication required. Network-accessible, low complexity, no user interaction. That is the worst-case column on every CVSS rubric.

The remaining two vulnerabilities require physical access to the charging connector but are not dismissible on that basis. CVE-2026-9038 is a stack-based buffer overflow in signal-processing logic; a malicious device plugged into the charging port can supply oversized message fields that corrupt memory and escalate to code execution. CVE-2026-9039 is a default-credential problem: the same charging interface exposes a remote management service that accepts a factory administrative credential, giving a connected device full admin access. Physical access to a public charging station is not a high bar. Fleet depots, municipal parking facilities, and roadside charging stops are not guarded like server rooms.

What the vendor says, and what's missing

XCharge's stated remediation for all three CVEs is identical: "the update has been deployed for all affected chargers." The advisory lists affected versions as anything before May 22, 2026. What the advisory does not say is whether that deployment is an automatic over-the-air push that operators can verify passively, or a staged rollout that requires site operators or fleet managers to confirm receipt. That distinction matters operationally. If delivery is OTA and complete, the exposure window is closing. If it requires any action at the charger, network, or fleet-management-platform level, operators who assume it's done are the ones who haven't patched.

Municipal IT and transportation departments running C6 units should contact XCharge support directly to confirm firmware version on each deployed unit, not take the advisory's "deployed for all affected chargers" language as conclusive. The advisory's scope is worldwide deployment across the transportation sector; the remediation guidance amounts to a phone number.

The broader pattern

This advisory is a clean example of the gap between automotive-sector and IT-sector security assumptions in EV charging hardware. Signature verification on firmware updates is table stakes for networked devices in any context governed by NIST SP 800-82 or ICS security baselines. Its absence in a charging controller that touches both grid-adjacent infrastructure and vehicle telematics channels is not a novel finding, it is the same finding that appears in ICS advisories across smart-meter, building-automation, and EV charging product lines year after year. The controller is the perimeter; if it runs attacker-supplied firmware, everything upstream of it (the charging network management platform, the connected fleet, potentially the grid interface) inherits that trust problem.

For state CISOs and municipal transportation officers: verify firmware versions, confirm OTA delivery with XCharge, and document the confirmation. For contractors managing EV charging deployments under federal or state infrastructure programs, the CISA advisory is the artifact to attach to your remediation ticket.