CVE-2026-9397 CRITICAL

CVE-2026-9397: Besen BS20 EV Charging Station OTA Update Installation improper authorization

Vendor Besen

Product BS20 EV Charging Station

Weakness CWE-285

Published May 24, 2026

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

9.2/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A weakness has been identified in Besen BS20 EV Charging Station up to 20260426. Affected by this issue is some unknown functionality of the component OTA Update Installation Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."

Key dates

02Disclosure timeline

May 24, 2026 CVE published

May 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-9397 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/285.html

Related vulnerabilities

CVE-2026-9397: Besen BS20 EV Charging Station OTA Update Installation improper authorization

01Description

02Disclosure timeline

03References

04Related CVE