CVE-2026-22539 identifies a vulnerability in EFACEC QC 60/90/120 electric vehicle chargers, specifically in version 8 of their firmware or software. The vulnerability is classified under CWE-201, which pertains to the insertion of sensitive information into sent data. The root cause is that the service interaction using the Open Charge Point Protocol (OCPP) version 1.6 is performed without any authentication mechanism. This allows an attacker who has some understanding of the OCPP protocol to communicate with the charger and retrieve sensitive information about the device. The vulnerability does not require any user interaction, privileges, or authentication, and can be exploited remotely over an adjacent network (e.g., local network or connected infrastructure). The CVSS 4.0 vector indicates low attack complexity, no privileges required, no user interaction, and limited confidentiality impact, resulting in a medium severity score of 5.3. The sensitive information disclosed could include device identifiers, configuration details, or operational status, which could be leveraged for reconnaissance or to facilitate further attacks. No patches or known exploits are currently reported, but the lack of authentication in a critical infrastructure component like EV chargers presents a notable security risk. The vulnerability highlights the importance of secure protocol implementations and access controls in IoT and critical infrastructure devices.

For European organizations, the impact of CVE-2026-22539 centers on the potential exposure of sensitive information from EFACEC EV chargers, which are widely deployed across Europe. Disclosure of charger details can compromise operational security, enabling attackers to map infrastructure, identify vulnerable devices, or plan targeted attacks. This could lead to privacy violations, disruption of charging services, or facilitate supply chain attacks if attackers gain deeper access. Given the increasing reliance on EV infrastructure for transportation and energy management, such vulnerabilities could undermine trust and operational continuity. Organizations managing public or private charging stations may face reputational damage and regulatory scrutiny if sensitive data is leaked. The medium severity suggests limited direct impact on availability or integrity, but the confidentiality breach could have cascading effects, especially if combined with other vulnerabilities or insider threats. European energy and transportation sectors are critical infrastructure, so even moderate vulnerabilities warrant prompt attention to prevent escalation.

To mitigate CVE-2026-22539, European organizations should implement the following specific measures: 1) Enforce network segmentation to isolate EV chargers from general enterprise networks, limiting attacker access to the OCPP communication channel. 2) Deploy protocol-level authentication and encryption where possible, such as upgrading to OCPP versions supporting secure authentication or implementing VPN tunnels for charger communication. 3) Monitor network traffic for anomalous OCPP messages or unauthorized access attempts, using IDS/IPS solutions tailored for IoT protocols. 4) Restrict physical and logical access to charger management interfaces to authorized personnel only. 5) Engage with EFACEC for firmware updates or patches addressing this vulnerability once available, and apply them promptly. 6) Conduct regular security assessments and penetration tests on EV charging infrastructure to identify and remediate similar weaknesses. 7) Maintain an inventory of affected devices and track their firmware versions to prioritize remediation efforts. 8) Educate operational staff about the risks of unauthenticated protocol interactions and enforce strict operational security policies around EV infrastructure.