CVE-2026-9039
CWE-1188Published: May 28, 2026· Updated: May 29, 2026
Official Description
A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.
Technical Analysis
CVE-2026-9039 requires local access, meaning attackers must already have a foothold on the target system.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-1188)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-9039 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts