CVE-2026-9037 | THREATINT

Description

A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.

PUBLISHED Reserved 2026-05-19 | Published 2026-05-28 | Updated 2026-05-29 | Assigner icscert

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-494 Download of code without integrity check

Product status

Default status

unaffected

Any version before May_22_2026

affected

Credits

Lionel R. Saposnik of SaiFlow reported these vulnerabilities to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 government-resource

cve.org (CVE-2026-9037)

nvd.nist.gov (CVE-2026-9037)

Download JSON