CISA flags three critical flaws in XCharge C6 EV charging controllers

CISA's advisory covers charging controllers, not enterprise IT, but the threat model is squarely operational technology: a networked device inside transportation infrastructure that accepts unsigned firmware over its management channel and ships with a default admin credential accessible through the same physical connector used to charge a vehicle.

The three vulnerabilities

CVE-2026-9037 is the most severe at CVSS 9.8. The C6's firmware update mechanism does not verify cryptographic signatures on packages delivered through the management interface. An attacker positioned to intercept or impersonate that channel (no physical access required) can push arbitrary firmware and execute code at high privilege. The attack vector is network, complexity is low, and no authentication is required. That combination puts it at the top of the priority queue for any operator running these units on an internet-reachable management plane.

CVE-2026-9038 (CVSS 7.6) requires physical access: connecting a malicious device to the charging interface and supplying oversized message fields to the signal-processing logic. The stack-based buffer overflow (CWE-121) can corrupt memory and escalate to code execution. Physical-access-required lowers the urgency relative to CVE-2026-9037, but transit fleets and public charging stations have high-volume, low-supervision physical contact with the connector interface by design.

CVE-2026-9039 is the default credential problem. The remote management service is reachable through the charging connector interface (the same physical channel used for vehicle signaling) and it accepts a default administrative credential. A device physically plugged into the charger can authenticate as administrator. This is CWE-118 (improper neutralization in a boundary condition), but the operational reality is simpler: anyone with a cable and knowledge of the default can own the device.

What the patch status actually means

XCharge states the update has been deployed for all affected chargers. Note the passive framing: XCharge pushed it, not the fleet operator. For organizations running C6 units in government facilities, transit depots, or other critical infrastructure, "XCharge has deployed" is a starting point for verification, not a closing action. Operators should confirm that units in their environment are running firmware dated after May 22, 2026, and should review access logs for the management interface going back to at least Q1 2026 to assess whether CVE-2026-9037's unsigned firmware path or CVE-2026-9039's default credential were exercised before the patch landed.

CISA does not report active exploitation in this advisory, but that question remains open. The scope of C6 deployments in U.S. critical infrastructure is not specified, and CISA's "worldwide" designation on affected countries doesn't narrow it. Organizations with procurement records for XCharge C6 units should treat patch verification as an open ticket, not a closed one.

This is the kind of advisory that arrives after electrification has outpaced the security review cycle: transportation infrastructure now includes operational technology that accepts network-delivered firmware updates, and the firmware signing requirement that would make CVE-2026-9037 impossible wasn't there at launch. It won't be the last EV charging advisory.