CVE-2026-0778 identifies a critical security vulnerability in the Enel X JuiceBox 40 electric vehicle charging station, specifically in its Telnet service which listens on TCP port 2000 by default. The vulnerability arises from the absence of any authentication mechanism before allowing remote connections to the Telnet service. This missing authentication (CWE-306) enables an attacker with network adjacency—meaning they can reach the device on the network—to execute arbitrary code remotely without needing any credentials or user interaction. The attacker can run code with the privileges of the service account, potentially allowing full control over the device. This could lead to manipulation of charging operations, disruption of service, or use of the device as a pivot point for further network intrusion. The affected version is 4.2.7 of the JuiceBox 40. The CVSS v3.0 base score is 8.8 (high), reflecting the low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability was assigned by the Zero Day Initiative (ZDI) and published in January 2026. The lack of authentication on a critical function in a network-exposed service is a significant security oversight, especially in infrastructure components like EV charging stations that are increasingly integrated into critical energy and transportation networks.

For European organizations, the impact of this vulnerability can be substantial. Enel X JuiceBox 40 charging stations are deployed in various public and private EV charging infrastructures across Europe. Exploitation could lead to unauthorized control over charging operations, causing denial of service or manipulation of energy consumption data. This could disrupt EV charging availability, impacting transportation and logistics sectors reliant on electric vehicles. Furthermore, compromised charging stations could serve as entry points for attackers to infiltrate corporate or municipal networks, potentially leading to broader cyberattacks. Confidentiality breaches could expose user data or operational metrics. Integrity violations might allow attackers to falsify charging records or billing information. Availability impacts could cause outages in charging services, undermining trust in EV infrastructure. Given the strategic push for green energy and EV adoption in Europe, such disruptions could have economic and reputational consequences. Organizations managing EV infrastructure must consider this vulnerability a critical risk to operational continuity and cybersecurity posture.

To mitigate this vulnerability effectively, European organizations should implement the following specific measures: 1) Immediately isolate JuiceBox 40 devices running version 4.2.7 from untrusted networks, especially public internet access. 2) Restrict network access to TCP port 2000 using firewalls or network segmentation to allow only trusted management hosts. 3) Disable the Telnet service on the device if possible, or replace it with a secure management protocol that enforces authentication. 4) Monitor network traffic for unusual connections or commands targeting port 2000 on JuiceBox 40 devices. 5) Engage with Enel X for firmware updates or patches addressing this vulnerability; if no patch is available, consider temporary device replacement or enhanced compensating controls. 6) Conduct regular vulnerability scans and penetration tests on EV charging infrastructure to detect similar issues. 7) Implement strong network access controls and logging to detect and respond to exploitation attempts promptly. 8) Educate operational technology (OT) and IT teams about the risks of exposed management interfaces and enforce strict access policies. These steps go beyond generic advice by focusing on network-level controls, service disabling, and proactive monitoring tailored to the specific vulnerability and device context.