CVE-2026-22537 is a vulnerability classified under CWE-497, indicating exposure of sensitive system information to an unauthorized control sphere. It affects EFACEC's QC 60/90/120 electric vehicle charging systems, specifically version 8. The core issue stems from insufficient system hardening, which allows users who manage and maintain the charger—typically with low privilege—to access files containing clear-text credentials or other sensitive information. This exposure can facilitate unauthorized access or lateral movement within the system if an attacker gains local access. The vulnerability does not require user interaction and has no known exploits in the wild at the time of publication. The CVSS 4.0 vector indicates the attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required beyond low (PR:L), no user interaction (UI:N), and high impact on confidentiality (VC:H) but no impact on integrity or availability. The lack of patches means affected organizations must rely on compensating controls until an official fix is released. The vulnerability highlights the importance of securing maintenance interfaces and protecting sensitive configuration files, especially in critical infrastructure components such as EV charging stations.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of sensitive credentials and system information within EFACEC charging stations. Exposure of clear-text credentials can lead to unauthorized access, potentially allowing attackers to manipulate charging operations, disrupt services, or pivot to other parts of the network. Given the increasing deployment of EV infrastructure across Europe, compromised charging stations could impact availability indirectly by enabling further attacks or causing operational disruptions. The impact is particularly significant for operators of public or commercial EV charging networks, energy providers, and critical infrastructure entities relying on EFACEC products. Confidentiality breaches could also lead to regulatory compliance issues under GDPR if personal or operational data is exposed. Although the vulnerability requires local access, insider threats or attackers who gain physical or network access to maintenance interfaces could exploit this weakness. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure.

Organizations should implement strict access controls to limit who can access maintenance and management interfaces of EFACEC QC 60/90/120 chargers. Network segmentation should isolate charging infrastructure from broader corporate or public networks to reduce the risk of local access by unauthorized users. Encrypting sensitive files and credentials, or replacing clear-text storage with secure credential vaults, is critical. Monitoring and logging access to maintenance interfaces and sensitive files can help detect suspicious activity early. Applying principle of least privilege to maintenance accounts and regularly rotating credentials will reduce exposure. Until official patches are available, consider deploying host-based intrusion detection systems (HIDS) on charging station management systems to alert on unauthorized file access. Engage with EFACEC for updates or security advisories and plan for timely patch deployment once available. Additionally, conduct security audits and penetration tests focusing on physical and network access controls around EV charging infrastructure.