Cyber·Monitoring
Shai-Hulud Supply-Chain Attack Trojanizes 19 PyPI Packages
PyPI repository (global online service)· Global4 Jun
5 reportsPROPCYCAS
MediumAI Refreshed
ClosedLow impactAI Generated
CISA Advisory: XCharge C6 EV Charger Critical Vulnerabilities
Occurred 28 May 2026·Detected 28 May 2026·
🇺🇸 Worldwide deployment; XCharge headquartered in United States1 reportEnded 29 May 2026
CyberPropertyCyberCasualty & Liability
CISA has published an ICS advisory disclosing three critical/high-severity vulnerabilities in the XCharge C6 EV charging controller, including a firmware integrity bypass (CVSS 9.8), stack-based buffer overflow, and insecure default credential flaw. The vulnerabilities affect chargers deployed worldwide and could allow remote or physical attackers to gain administrator rights or execute arbitrary code. XCharge has confirmed patches have been deployed, and no known public exploitation has been reported at this time.
AI-generated from linked source reports. See our correction policy.
Impact verdict
Low impact. No concrete London Market loss pathway is evidenced: no named insured asset damage, no confirmed exploitation, no business interruption, no claims or reserving activity indicated. Patches have already been deployed by the vendor. The advisory is a routine ICS vulnerability disclosure with theoretical relevance to cyber underwriters monitoring EV/transportation infrastructure exposure, but falls below the threshold for MEDIUM without evidence of active exploitation, insured loss, or named commercial asset impact.
View assessment methodologyHow we grade what we know -- Known · Reported · Uncertain. Methodology →
Intelligence ledger
Each line expands in place to its underlying sourced claim.
Known6 lines
Three CVEs disclosed: CVE-2026-9037 (CVSS 9.8 Critical), CVE-2026-9038 (CVSS 7.6 High), CVE-2026-9039 (CVSS 7.6 High)▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Vulnerabilities affect XCharge C6 charging controllers running firmware versions prior to May 22, 2026▾
structured lineknown
No separate sourced-claim record is available for this line yet.
XCharge has confirmed patches have been deployed to all affected chargers▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Affected critical infrastructure sector: Transportation Systems▾
structured lineknown
No separate sourced-claim record is available for this line yet.
No known public exploitation reported to CISA at time of publication▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Devices deployed worldwide; company headquartered in the United States▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Reported4 lines
Vulnerabilities were reported by Lionel R. Saposnik of SaiFlow▾
structured linereported
No separate sourced-claim record is available for this line yet.
CVE-2026-9037 allows remote unauthenticated firmware replacement via management interface impersonation▾
structured linereported
No separate sourced-claim record is available for this line yet.
CVE-2026-9038 requires physical access to the charging interface to exploit▾
structured linereported
No separate sourced-claim record is available for this line yet.
CVE-2026-9039 allows physical attacker to gain full administrative access using default credentials▾
structured linereported
No separate sourced-claim record is available for this line yet.
Uncertain4 lines
Total number of XCharge C6 units deployed globally is not specified▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether any exploitation occurred prior to patch deployment is unknown▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Downstream impact on EV fleet operators, charging networks, or grid-connected infrastructure is not assessed▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether insured commercial fleets or infrastructure operators are exposed is unclear▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Geographic Zone Matches
3 active matches
- TRIA Certified AreasRule-basedConfidence 100%
- Caribbean Hurricane ZoneRule-basedConfidence 100%
- Pacific Ring of FireRule-basedConfidence 100%
Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.
Affected countries
🇺🇸 United States
Timeline
Status Change2 Jun 2026, 13:05
Lifecycle changed
monitoring → closed
Closure2 Jun 2026, 13:05
Event Closed
auto_closed_monitoring_timeout
Status Change29 May 2026, 05:30
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
active → monitoring
Status Change28 May 2026, 22:36
Status changed to active
remediation: existing authoritative signal
signal → active
Initial Detection28 May 2026, 16:44
Initial Detection
CISA has published an ICS advisory disclosing three critical/high-severity vulnerabilities in the XCharge C6 EV charging controller, including a firmware integrity bypass (CVSS 9.8), stack-based buffer overflow, and insecure default credential flaw. The vulnerabilities affect chargers deployed worldwide and could allow remote or physical attackers to gain administrator rights or execute arbitrary code. XCharge has confirmed patches have been deployed, and no known public exploitation has been reported at this time.
Successful exploitation of these vulnerabilities could allow an attacker to gain administrator rights or execute code on the affected device... A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unautho...
Source: CISA Advisories (Official Advisory) · View source
Lloyd's classifications
Tracking this kind of risk? Get an email when Cyber events escalate.
Get alerts