CVE-2026-22539 is a vulnerability categorized under CWE-201 (Insertion of Sensitive Information Into Sent Data) affecting EFACEC QC 60/90/120 electric vehicle chargers, specifically version 8. The issue arises because the service interaction using the Open Charge Point Protocol (OCPP) version 1.6 is conducted without any authentication mechanism. This design flaw allows an attacker who understands the OCPP protocol to remotely query the charger and obtain sensitive information about the device. The vulnerability does not require user interaction, privileges, or authentication, and can be exploited over a network, making it accessible to remote attackers. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) indicates that the attack requires adjacent network access (e.g., local network or VPN), has low attack complexity, and no privileges or user interaction are needed. The impact is limited to confidentiality, with no direct effect on integrity or availability. No patches or known exploits currently exist, but the exposure of sensitive charger information could facilitate further targeted attacks or reconnaissance. The vulnerability highlights a critical security oversight in the implementation of OCPP communications in EFACEC chargers, emphasizing the need for authentication and encryption in EV charging infrastructure protocols.

For European organizations, especially those involved in electric vehicle infrastructure, this vulnerability poses a risk of sensitive information disclosure from EFACEC QC 60/90/120 chargers. Such information could include device identifiers, configuration details, or operational data that attackers might leverage to map infrastructure, identify potential targets, or craft more sophisticated attacks. While the vulnerability does not directly allow control over the chargers or disruption of service, the confidentiality breach can undermine trust in EV infrastructure security and potentially expose organizations to follow-on attacks. Given the increasing reliance on EV charging networks across Europe, attackers could use this information to target critical transportation infrastructure or cause reputational damage. The risk is particularly relevant for public charging stations, fleet operators, and energy providers who deploy EFACEC chargers. The absence of authentication also suggests a broader security design weakness that could be exploited in combination with other vulnerabilities.

To mitigate CVE-2026-22539, organizations should implement the following specific measures: 1) Deploy network segmentation and access controls to restrict access to the OCPP management interfaces, ensuring only authorized systems can communicate with chargers. 2) Introduce authentication mechanisms at the protocol level, such as mutual TLS or token-based authentication, to prevent unauthorized querying of charger information. 3) Monitor network traffic for unusual OCPP requests or patterns indicative of reconnaissance attempts. 4) Work with EFACEC to obtain firmware updates or patches that address the authentication deficiency once available. 5) If immediate patching is not possible, consider disabling or restricting OCPP v1.6 service interactions on chargers or placing them behind secure VPNs. 6) Conduct regular security assessments of EV charging infrastructure to identify and remediate similar protocol-level vulnerabilities. 7) Educate operational staff on the risks of exposed management interfaces and enforce strict operational security policies around charger network access.