Live Active security incident? Get immediate response
CVE Record

CVE-2026-9398: Besen BS20 EV Charging Station BLE/WiFi authentication replay

A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."

LowCVSS 3.1Not KEV-listed Updated
Discuss exposure Back to CVEs
Glexia's Take low

Analyst readout for executives and security teams

Plain-English summary

A Besen BS20 EV charger authentication weakness may let a nearby or locally connected attacker replay captured BLE/WiFi authentication traffic to tamper with charger commands. Sources rate this low severity because exploitation is difficult, local, and affects integrity only.

Executive priority

Handle through normal vulnerability management unless BS20 chargers are safety-critical, publicly accessible, or on shared networks. Business urgency is reduced by local access and high complexity, but operational tampering risk warrants inventory and vendor follow-up.

Technical view

CVE-2026-9398 describes authentication bypass by capture-replay in the Besen BS20 EV Charging Station BLE/WiFi component up to 20260426. It maps to CWE-287 and CWE-294. CVSS 3.1 is 3.1 with adjacent attack vector, high complexity, no privileges, no user interaction, and low integrity impact.

Likely exposure

Exposure is most likely where Besen BS20 chargers are deployed and accessible from the same local network or BLE/WiFi range. The sources do not indicate internet exploitation or affected products beyond BS20.

Exploitation context

No KEV listing is provided, and the bundle does not cite active exploitation. VulDB indicates proof-of-concept exploitability, but difficult exploitation requiring local network access and capture-replay conditions.

Researcher notes

Evidence names an unknown BLE/WiFi component and does not provide a vendor patch. Treat product scope narrowly: Besen BS20 only. Avoid assuming command impact beyond low integrity tampering described by CVSS and the linked finding.

Mitigation direction

  • Check Besen guidance for firmware updates or vendor mitigations.
  • Restrict charger management access to trusted local networks only.
  • Segment EV charging infrastructure from corporate and guest networks.
  • Monitor charger command changes for unexpected local-origin activity.
  • Limit BLE/WiFi access where operationally feasible.

Validation and detection

  • Inventory Besen BS20 chargers and record firmware or build versions.
  • Confirm whether any units match versions up to 20260426.
  • Review local network paths that can reach charger BLE/WiFi management surfaces.
  • Check logs or management records for unexpected command changes.
  • Track Besen advisory status after its April 2026 acknowledgement.
Prepared
Confidence
medium
Sources
6

Public sources used

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-287: Credential and account abuse lookup

Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-294: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-9398 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profile CVE Program record
Severity
Low
CVSS
3.1 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

4 CVSS vectors
6 Timeline events
1 ADP providers
5 Source links

SSVC decision data

CISA-ADP CISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

4 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

Score Version Severity Vector Exploit Impact Source
3.1 CVSS 3.1 Low CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R 1.6 1.4 VulDB
3.1 CVSS 3.0 Low CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R 1.6 1.4 VulDB
2.3 CVSS 4.0 Low CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P VulDB
1.8 CVSS 2.0 Low AV:A/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR 3.2 2.9 VulDB

Vulnerability scoring details

Base CVSS 4.0 score

2.3 Low
CVSS 4.0 vector shape for CVE-2026-9398 Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timeline VulDB

    Advisory disclosed

  2. Source timeline VulDB

    VulDB entry created

  3. CVE reserved CVE Program

    The CVE ID was reserved by the assigning CNA.

  4. Source timeline VulDB

    VulDB entry last update

  5. CVE published CVE Program

    The CVE record was published.

  6. CVE updated CVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADP CISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

Vendor Product Version / package Status
Besen BS20 EV Charging Station 20260426 Listed
Weakness

CWE details

CWE-287CWE-294

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-287 · source CWE mapping

Improper Authentication

Improper Authentication represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Open CWE intelligence Same-CWE CVEs
CWE-294 · source CWE mapping

Authentication Bypass by Capture-replay

Authentication Bypass by Capture-replay represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Open CWE intelligence Same-CWE CVEs