CVE-2026-22540 is a critical denial-of-service vulnerability affecting EFACEC QC60/90/120 electric vehicle chargers. The root cause is uncontrolled resource consumption (CWE-400) triggered by an attacker sending a massive volume of ARP (Address Resolution Protocol) requests to one of the charger's control boards. This board is responsible for managing the EV interface, and its failure causes the entire charger to malfunction. The vulnerability can be exploited remotely without any authentication or user interaction, making it highly accessible to attackers. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on availability (VA:H), with no impact on confidentiality or integrity. The flaw essentially allows an attacker to overwhelm the control board’s resources, causing it to become unresponsive and denying service to legitimate EV charging operations. Given the critical role of EV chargers in transportation infrastructure, this vulnerability could disrupt EV charging stations, leading to operational downtime and potential cascading effects on EV users and fleet operators. No patches or fixes have been published yet, increasing the urgency for network-level mitigations and monitoring. The vulnerability was published on January 7, 2026, and is tracked under CWE-400, which relates to resource exhaustion issues.

The primary impact is on availability, as the vulnerability enables denial of service on EFACEC QC60/90/120 chargers by exhausting resources on a critical control board. For European organizations, especially those operating EV charging infrastructure, this could lead to widespread charger outages, disrupting EV fleet operations, public charging availability, and potentially causing economic and reputational damage. Critical infrastructure operators and commercial EV fleet managers may face operational delays and increased costs due to charger downtime. The disruption could also undermine confidence in EV infrastructure reliability, slowing EV adoption. Since EFACEC is a major European manufacturer with significant market share in countries like Portugal, Germany, France, and the Netherlands, the impact is geographically concentrated but potentially severe. The lack of authentication or user interaction required for exploitation increases the risk of automated or large-scale attacks. Additionally, the vulnerability could be leveraged as part of a broader attack campaign targeting transportation infrastructure, with potential cascading effects on energy and mobility sectors.

1. Implement network-level filtering to detect and block abnormal ARP traffic volumes targeting EFACEC chargers, using intrusion detection/prevention systems (IDS/IPS) with ARP flood detection capabilities. 2. Segment the network to isolate charger management interfaces from general network traffic, reducing exposure to external ARP floods. 3. Employ rate limiting on ARP requests at network switches or routers connected to charging stations to prevent resource exhaustion. 4. Monitor network traffic continuously for unusual ARP request patterns and establish alerting mechanisms for rapid incident response. 5. Coordinate with EFACEC for timely patch releases and apply firmware updates as soon as they become available. 6. Consider deploying dedicated security gateways or firewalls with ARP inspection features in EV charging station networks. 7. Educate operational staff on recognizing symptoms of charger denial of service and establish incident response playbooks specific to this vulnerability. 8. Engage with local CERTs and industry groups to share threat intelligence and mitigation strategies related to this vulnerability.