{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22539", "assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6", "state": "PUBLISHED", "assignerShortName": "S21sec", "dateReserved": "2026-01-07T14:01:04.828Z", "datePublished": "2026-01-07T17:12:01.065Z", "dateUpdated": "2026-01-09T19:09:20.052Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "QC 60/90/120", "vendor": "EFACEC", "versions": [{"status": "affected", "version": "8"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Aar\u00f3n Flecha Men\u00e9ndez"}, {"lang": "en", "type": "finder", "value": "Iv\u00e1n Alonso \u00c1lvarez"}, {"lang": "en", "type": "finder", "value": "V\u00edctor Bello Cuevas"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6."}], "value": "As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 5.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6", "shortName": "S21sec", "dateUpdated": "2026-01-07T17:12:01.065Z"}, "references": [{"url": "https://cds.thalesgroup.com/en"}], "source": {"discovery": "UNKNOWN"}, "tags": ["x_ICS", "x_Charger"], "title": "INFORMATION DISCLOSURE VIA CURL REQUESTS (OCPP)", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T19:09:06.596208Z", "id": "CVE-2026-22539", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:09:20.052Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22539", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T19:09:06.596208Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:09:16.715Z"}}], "cna": {"tags": ["x_ICS", "x_Charger"], "title": "INFORMATION DISCLOSURE VIA CURL REQUESTS (OCPP)", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Aar\u00f3n Flecha Men\u00e9ndez"}, {"lang": "en", "type": "finder", "value": "Iv\u00e1n Alonso \u00c1lvarez"}, {"lang": "en", "type": "finder", "value": "V\u00edctor Bello Cuevas"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "EFACEC", "product": "QC 60/90/120", "versions": [{"status": "affected", "version": "8"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cds.thalesgroup.com/en"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6.", "supportingMedia": [{"type": "text/html", "value": "As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6", "shortName": "S21sec", "dateUpdated": "2026-01-07T17:12:01.065Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22539", "state": "PUBLISHED", "dateUpdated": "2026-01-09T19:09:20.052Z", "dateReserved": "2026-01-07T14:01:04.828Z", "assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6", "datePublished": "2026-01-07T17:12:01.065Z", "assignerShortName": "S21sec"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6."}, {"lang": "es", "value": "Como la interacci\u00f3n del servicio se realiza sin autenticaci\u00f3n, un atacante con cierto conocimiento del protocolo podr\u00eda obtener informaci\u00f3n sobre el cargador a trav\u00e9s de OCPP v1.6."}], "id": "CVE-2026-22539", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "50b5080a-775f-442e-83b5-926b5ca517b6", "type": "Secondary"}]}, "published": "2026-01-07T18:15:55.537", "references": [{"source": "50b5080a-775f-442e-83b5-926b5ca517b6", "url": "https://cds.thalesgroup.com/en"}], "sourceIdentifier": "50b5080a-775f-442e-83b5-926b5ca517b6", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "50b5080a-775f-442e-83b5-926b5ca517b6", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:50:43.686281+00:00", "value": {"mitigation_remediation": ["Apply any vendor or firmware update that secures the OCPP v1.6 service with authentication.", "Configure network segmentation or firewall rules to restrict access to the OCPP port only to trusted management systems.", "Enable or implement authentication or token validation on the OCPP interface before permitting client connections."], "summary": {"action": "Assess Impact", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "EFACEC\u2019s QC 60, QC 90, and QC 120 charging units are affected. No specific firmware or software version information was supplied, so all currently deployed units that use the unprotected OCPP v1.6 interface may be vulnerable.", "description_and_impact": "The vulnerability arises because the OCPP v1.6 service communicates without authentication, which allows an attacker with knowledge of the protocol to obtain information about the charger. This reflects the weakness classified as CWE\u2011201, a lack of authentication that permits an unauthorized party to obtain sensitive information.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. The EPSS score is reported as less than 1\u202f%, suggesting a low probability of exploitation at the current time. The vulnerability is not listed in the KEV catalog, so no known active exploitation has been reported. The likely attack vector is network-based, with an adversary needing only access to the OCPP interface and some knowledge of the protocol to extract charger information."}}}}, "created": "2026-01-08T09:48:05.768410+00:00", "updated": "2026-04-18T17:00:05.566842+00:00", "vendors": ["efacec", "efacec$PRODUCT$qc_120", "efacec$PRODUCT$qc_60", "efacec$PRODUCT$qc_90"]}