CVE-2026-22541 is classified under CWE-400, indicating an uncontrolled resource consumption vulnerability in EFACEC QC 60/90/120 electric vehicle (EV) charger boards, specifically version 8. The vulnerability arises from the device's handling of ICMP requests; an attacker can send a massive volume of ICMP packets to the affected board, overwhelming its processing capacity. This results in a denial of service (DoS) condition on the board responsible for controlling the EV interfaces. Since this board is critical for the correct operation of the charger, its failure causes the entire charging station to become non-functional. The CVSS 4.0 base score is 8.2 (high severity), reflecting the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a high impact on availability (VA:H). The vulnerability does not affect confidentiality or integrity but severely impacts availability. No known exploits have been reported in the wild yet, but the potential for disruption is significant given the critical infrastructure role of EV chargers. The vulnerability is published and assigned by S21sec, but no patches are currently linked, indicating that remediation may still be pending or in development.

For European organizations, the impact of CVE-2026-22541 is primarily operational, affecting the availability of EV charging infrastructure. Disruption of EV chargers can lead to significant inconvenience for EV users, potential loss of revenue for charging station operators, and reputational damage. In critical infrastructure contexts, such as public transportation hubs, commercial fleets, or municipal EV charging networks, prolonged outages could hinder transportation logistics and energy management. Given the increasing adoption of electric vehicles across Europe and the strategic push for sustainable transportation, any disruption in EV charging availability poses a risk to broader environmental and economic goals. Additionally, attackers could leverage this vulnerability to cause targeted denial of service attacks during peak usage times or coordinated campaigns against energy infrastructure. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the threat landscape. Organizations relying on EFACEC QC 60/90/120 chargers must consider the operational risks and potential cascading effects on EV ecosystem services.

Immediate mitigation should focus on network-level defenses to prevent or limit ICMP flood attacks targeting the affected boards. This includes implementing rate limiting and filtering of ICMP traffic at firewalls and network edge devices to reduce the volume of ICMP packets reaching the chargers. Network segmentation can isolate EV charging infrastructure from general-purpose networks, minimizing exposure. Monitoring network traffic for unusual ICMP patterns and setting up alerts can provide early detection of attempted exploitation. Organizations should engage with EFACEC for official patches or firmware updates addressing this vulnerability and plan timely deployment once available. Additionally, incorporating redundancy in EV charging infrastructure can reduce the impact of individual charger outages. Incident response plans should include procedures for rapid identification and mitigation of DoS conditions affecting EV chargers. Finally, collaboration with energy and transportation sector cybersecurity groups can facilitate information sharing and coordinated defense strategies.