CVE-2026-22540 is a critical denial of service vulnerability affecting EFACEC QC60/90/120 electric vehicle chargers. The root cause is uncontrolled resource consumption (CWE-400) triggered by an attacker sending a massive volume of ARP (Address Resolution Protocol) requests to a specific control board within the charger. This board is responsible for managing the EV interface, and its proper operation is essential for the charger's functionality. When overwhelmed by ARP floods, the board experiences resource exhaustion, leading to a denial of service condition that forces a restart of the charger’s functionalities. The vulnerability can be exploited remotely without any authentication or user interaction, making it highly accessible to attackers with network access. The CVSS 4.0 base score is 9.2, reflecting the critical nature of the flaw due to its high impact on availability and the ease of exploitation. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The vulnerability does not affect confidentiality or integrity but severely impacts availability (VA:H). No patches or firmware updates have been published yet, and no known exploits have been observed in the wild. The vulnerability highlights the risks of insufficient input validation and resource management in embedded systems controlling critical infrastructure components such as EV chargers.

For European organizations, this vulnerability poses a significant threat to the availability and reliability of EV charging infrastructure. Disruptions caused by forced restarts of chargers can lead to service outages, impacting EV users and potentially causing operational and reputational damage to charging network operators and service providers. In critical scenarios, such as public charging stations or fleet charging depots, repeated or prolonged downtime could affect transportation logistics and increase operational costs. The vulnerability could also be exploited as part of a larger attack campaign targeting smart grid or energy infrastructure, amplifying its impact. Given the increasing adoption of electric vehicles across Europe, especially in countries with aggressive EV policies and infrastructure investments, the potential scale of impact is substantial. Additionally, the lack of authentication and ease of exploitation increase the risk of opportunistic or targeted attacks by malicious actors.

1. Implement network-level filtering to detect and block abnormal ARP traffic volumes targeting EFACEC charger control boards. 2. Segment the network to isolate charger control interfaces from general network access, limiting exposure to potential attackers. 3. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to identify ARP flooding attempts. 4. Monitor charger logs and network traffic for unusual ARP request patterns indicative of an ongoing attack. 5. Engage with EFACEC to obtain firmware updates or patches addressing the vulnerability as soon as they become available. 6. Consider deploying rate limiting on ARP requests at network switches or routers connected to charging infrastructure. 7. Conduct regular security assessments of EV charging networks to identify and remediate similar resource exhaustion risks. 8. Develop incident response plans specific to EV charger availability disruptions to minimize downtime and impact.