CVE-2026-22541: CWE-400 Uncontrolled Resource Consumption in EFACEC QC 60/90/120
CVE-2026-22541 is a high-severity vulnerability affecting EFACEC QC 60/90/120 electric vehicle chargers. It involves uncontrolled resource consumption (CWE-400) triggered by a massive flood of ICMP requests targeting a critical control board within the charger. This denial of service (DoS) condition disrupts the board's operation, which is essential for managing EV interfaces, thereby rendering the charger non-functional. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. Although no known exploits are currently reported in the wild, the ease of exploitation and potential impact on EV charging infrastructure make this a significant threat. European organizations operating EFACEC chargers, especially in countries with high EV adoption and EFACEC market presence, are at risk. Mitigation involves network-level filtering of ICMP traffic, segmentation of EV charger management networks, and close collaboration with EFACEC for firmware updates once available. Countries like Portugal, Germany, France, and the Netherlands are likely most affected due to EFACEC's market footprint and EV infrastructure density.
AI Analysis
Technical Summary
CVE-2026-22541 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting EFACEC's QC 60/90/120 electric vehicle chargers, specifically version 8. The flaw arises from the device's susceptibility to a denial of service attack via a flood of ICMP requests targeting one of the internal control boards responsible for managing EV interfaces. This board must operate correctly for the charger to function; overwhelming it with ICMP traffic exhausts its resources, causing it to fail and thus disabling the charger. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 score of 8.2 (high severity) reflects the network attack vector, low complexity, no privileges required, no user interaction, and a high impact on availability. While no public exploits have been reported, the potential for disruption to EV charging infrastructure is significant, especially given the increasing reliance on electric vehicles in Europe. The lack of available patches at the time of reporting necessitates immediate network-level mitigations and monitoring. EFACEC chargers are deployed widely in Europe, particularly in Portugal (EFACEC's home country), Germany, France, and the Netherlands, where EV adoption is high and charging infrastructure is critical. This vulnerability highlights the importance of securing industrial IoT and critical infrastructure devices against resource exhaustion attacks.
Potential Impact
The primary impact of CVE-2026-22541 is a denial of service condition that disables EFACEC QC 60/90/120 EV chargers by exhausting the resources of a critical control board via ICMP flooding. For European organizations, this can lead to significant operational disruptions in EV charging infrastructure, affecting public and private charging stations. This disruption can impede EV fleet operations, reduce availability for consumers, and potentially cause economic losses and reputational damage to charging service providers. Given the increasing push for electric mobility across Europe, such outages could slow EV adoption and undermine confidence in charging networks. Critical infrastructure operators, municipalities, and commercial fleet operators relying on EFACEC chargers are particularly vulnerable. The attack does not compromise confidentiality or integrity but severely impacts availability, which is crucial for infrastructure reliability. The ease of exploitation without authentication and the remote attack vector increase the likelihood of targeted or opportunistic attacks, especially in countries with dense EV infrastructure and EFACEC deployments.
Mitigation Recommendations
1. Implement network-level filtering to limit or block excessive ICMP traffic directed at EFACEC QC 60/90/120 chargers, using firewalls or intrusion prevention systems to detect and mitigate ICMP floods. 2. Segment EV charger management networks from general corporate or public networks to reduce exposure to external attacks. 3. Monitor network traffic for unusual ICMP activity patterns indicative of resource exhaustion attempts. 4. Engage with EFACEC support channels to obtain firmware updates or patches as they become available and prioritize their deployment. 5. Employ rate limiting on network devices to restrict the volume of ICMP packets reaching the chargers. 6. Conduct regular security assessments of EV charging infrastructure to identify and remediate potential vulnerabilities. 7. Develop incident response plans specifically addressing EV charger outages to minimize downtime and impact. 8. Consider deploying redundant charging infrastructure to maintain service availability during targeted attacks.
Affected Countries
Portugal, Germany, France, Netherlands, Spain, Italy
CVE-2026-22541: CWE-400 Uncontrolled Resource Consumption in EFACEC QC 60/90/120
Description
CVE-2026-22541 is a high-severity vulnerability affecting EFACEC QC 60/90/120 electric vehicle chargers. It involves uncontrolled resource consumption (CWE-400) triggered by a massive flood of ICMP requests targeting a critical control board within the charger. This denial of service (DoS) condition disrupts the board's operation, which is essential for managing EV interfaces, thereby rendering the charger non-functional. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. Although no known exploits are currently reported in the wild, the ease of exploitation and potential impact on EV charging infrastructure make this a significant threat. European organizations operating EFACEC chargers, especially in countries with high EV adoption and EFACEC market presence, are at risk. Mitigation involves network-level filtering of ICMP traffic, segmentation of EV charger management networks, and close collaboration with EFACEC for firmware updates once available. Countries like Portugal, Germany, France, and the Netherlands are likely most affected due to EFACEC's market footprint and EV infrastructure density.
AI-Powered Analysis
Technical Analysis
CVE-2026-22541 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting EFACEC's QC 60/90/120 electric vehicle chargers, specifically version 8. The flaw arises from the device's susceptibility to a denial of service attack via a flood of ICMP requests targeting one of the internal control boards responsible for managing EV interfaces. This board must operate correctly for the charger to function; overwhelming it with ICMP traffic exhausts its resources, causing it to fail and thus disabling the charger. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 score of 8.2 (high severity) reflects the network attack vector, low complexity, no privileges required, no user interaction, and a high impact on availability. While no public exploits have been reported, the potential for disruption to EV charging infrastructure is significant, especially given the increasing reliance on electric vehicles in Europe. The lack of available patches at the time of reporting necessitates immediate network-level mitigations and monitoring. EFACEC chargers are deployed widely in Europe, particularly in Portugal (EFACEC's home country), Germany, France, and the Netherlands, where EV adoption is high and charging infrastructure is critical. This vulnerability highlights the importance of securing industrial IoT and critical infrastructure devices against resource exhaustion attacks.
Potential Impact
The primary impact of CVE-2026-22541 is a denial of service condition that disables EFACEC QC 60/90/120 EV chargers by exhausting the resources of a critical control board via ICMP flooding. For European organizations, this can lead to significant operational disruptions in EV charging infrastructure, affecting public and private charging stations. This disruption can impede EV fleet operations, reduce availability for consumers, and potentially cause economic losses and reputational damage to charging service providers. Given the increasing push for electric mobility across Europe, such outages could slow EV adoption and undermine confidence in charging networks. Critical infrastructure operators, municipalities, and commercial fleet operators relying on EFACEC chargers are particularly vulnerable. The attack does not compromise confidentiality or integrity but severely impacts availability, which is crucial for infrastructure reliability. The ease of exploitation without authentication and the remote attack vector increase the likelihood of targeted or opportunistic attacks, especially in countries with dense EV infrastructure and EFACEC deployments.
Mitigation Recommendations
1. Implement network-level filtering to limit or block excessive ICMP traffic directed at EFACEC QC 60/90/120 chargers, using firewalls or intrusion prevention systems to detect and mitigate ICMP floods. 2. Segment EV charger management networks from general corporate or public networks to reduce exposure to external attacks. 3. Monitor network traffic for unusual ICMP activity patterns indicative of resource exhaustion attempts. 4. Engage with EFACEC support channels to obtain firmware updates or patches as they become available and prioritize their deployment. 5. Employ rate limiting on network devices to restrict the volume of ICMP packets reaching the chargers. 6. Conduct regular security assessments of EV charging infrastructure to identify and remediate potential vulnerabilities. 7. Develop incident response plans specifically addressing EV charger outages to minimize downtime and impact. 8. Consider deploying redundant charging infrastructure to maintain service availability during targeted attacks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- S21sec
- Date Reserved
- 2026-01-07T14:01:04.829Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 695e7b617349d0379da93610
Added to database: 1/7/2026, 3:27:29 PM
Last enriched: 1/14/2026, 3:52:27 PM
Last updated: 2/5/2026, 5:57:14 AM
Views: 71
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-15080: CWE-1284 Improper Validation of Specified Quantity in Input in Mitsubishi Electric Corporation MELSEC iQ-R Series R08PCPU
HighCVE-2025-61732: CWE-94: Improper Control of Generation of Code ('Code Injection') in Go toolchain cmd/cgo
HighCVE-2025-10314: CWE-276 Incorrect Default Permissions in Mitsubishi Electric Corporation FREQSHIP-mini for Windows
HighCVE-2025-11730: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Zyxel ATP series firmware
HighCVE-2026-1898: Improper Access Controls in WeKan
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.