The Cybersecurity and Infrastructure Security Agency (CISA) issued a stark warning on May 28, 2026, revealing that XCharge’s C6 electric vehicle charging stations harbor three critical vulnerabilities. Each flaw carries a maximum CVSS severity score of 9.8 out of 10, leaving systems wide open to complete takeover and remote code execution by unauthenticated attackers. The advisory, light on technical specifics, underscores the escalating cyber risks facing the rapidly expanding EV charging infrastructure.

A Trio of Perfect 9.8s

The three vulnerabilities, as detailed in the advisory, are all rated 9.8, indicating a perfect storm of low attack complexity, network accessibility, and catastrophic impact on confidentiality, integrity, and availability. While CVE identifiers and granular details were not immediately released—likely a measure to give XCharge time to develop patches—the severity leaves little doubt about the danger. An attacker could feasibly gain administrative privileges on the charger, execute arbitrary commands, or potentially pivot to other networked systems. This type of exploit aligns with classic IoT device weaknesses, such as command injection, hardcoded credentials, or insecure web interfaces, though CISA did not confirm the specific root causes.

What Is the XCharge C6?

XCharge’s C6 is a commercial-grade DC fast charger designed for public and fleet use. It supports multiple charging standards, including CCS and CHAdeMO, and delivers up to 150 kW of power, making it a fixture at highway rest stops, shopping centers, and corporate campuses. The C6 connects to cloud-based management platforms for billing, remote monitoring, and firmware updates. These network connections, often over Ethernet, Wi-Fi, or cellular modems, transform the charger into a powerful edge computer—and a tempting target. Unlike home chargers that sit behind residential routers, many commercial units are directly exposed to the internet or placed on minimally segmented operational technology (OT) networks.

The Stakes Are Higher Than Ever

Electric vehicle sales continue to climb, and with them, the attack surface blossoms. A compromised charger isn’t just a billing blip; it can disrupt transportation, damage vehicle batteries through manipulated charging parameters, or serve as a beachhead for lateral movement into municipal or corporate networks. In a worst-case scenario, a synchronized attack could destabilize the electrical grid by abruptly cycling hundreds of chargers—a risk researchers have been warning about for years. The potential for ransomware targeting EV infrastructure also looms, where an attacker could lock out owners or operators until a payment is made.

The XCharge advisory arrives amid a surge in OT and IoT vulnerabilities. Just last year, flaws in EV charger brands like Wallbox, ChargePoint, and ABB made headlines. In 2025, a UK study found that a majority of home chargers had at least one CVE-rated weakness, often with CVSS scores above 7.0. These incidents collectively paint a picture of an industry sprinting to deploy hardware faster than it can secure it.

CISA’s Role and the ICS Advisory Process

CISA regularly publishes Industrial Control Systems (ICS) advisories to spotlight vulnerabilities in critical infrastructure, including energy, water, and transportation. The agency urged owners and operators of XCharge C6 units to immediately apply available mitigations—even before an official patch lands. Typical best practices include isolating chargers on a dedicated VLAN, disabling unnecessary services, implementing strong authentication, and closely monitoring logs for anomalous activity. CISA often coordinates with vendors and researchers to disclose flaws on a set timeline, but delays in patching can leave weeks or months of exposure. In this case, no patch timeline was provided, raising concerns about how long these critical holes will remain open.

The advisory also hinted that the vulnerabilities might be remotely exploitable without any user interaction, making them prime candidates for automated attack tools like botnets or mass-scanning frameworks. Such attributes typically place the flaws high on the Exploit Prediction Scoring System (EPSS) list, meaning exploitation is likely imminent.

What Windows Users Need to Know

While the vulnerabilities reside in an embedded system, the ripple effects reach Windows-centric environments. Fleet management dashboards and charging network backends often run on Windows Server and are accessed via Windows 10 or 11 clients. A compromised charger could be used to intercept credentials, inject malicious updates into management software, or pivot to the corporate network where domain controllers and sensitive data reside. IT administrators should review any connections between their Windows infrastructure and EV chargers, enforcing strict access controls and using tools like Microsoft Defender for IoT if applicable.

Moreover, if the charger’s cloud management portal uses Active Directory Federation Services or Azure Active Directory for login, a breach could potentially expose those identity systems to relay attacks. Organizations should treat chargers as untrusted devices and apply zero-trust principles, requiring authentication and encryption for every communication. Remote Desktop Protocol (RDP) sessions originating from a compromised charger could be hijacked, giving attackers a direct line into Windows networks.

Limited Details Fuel Speculation—and Anxiety

The scant information in the advisory—no CVE numbers, no proof-of-concept—is standard for early-warning notices, but it frustrates defenders who need specifics to hunt for indicators of compromise. Security professionals on forums and social media expressed concern that the window before widespread exploitation is shrinking. “Another flawless 9.8 on an IoT device that nobody patches,” wrote a commenter on a popular infosec platform. “These things are everywhere, and they’re basically full-blown Linux computers with a charging cable attached.”

Indeed, many EV chargers run on Linux or RTOS systems with Ethernet and Wi-Fi, often with debug interfaces and hardcoded credentials. CISA’s broad categorization suggests classic bugs like command injection, buffer overflows, or authentication bypasses—flaws that have plagued IoT for a decade. Without specifics, operators are left in the dark, scanning their networks for any sign of unusual activity.

Historical Context: A Growing Hit List

The XCharge news is hardly an anomaly. In 2024, CISA issued advisories for critical flaws in Schneider Electric’s EVlink chargers (CVSS 9.8) and in ABB’s Terra AC wallboxes. Researchers at Pen Test Partners demonstrated how a chain of vulnerabilities could grant root access to multiple charger brands. In each case, the primary culprits were insufficient input validation, lack of authentication, and overly permissive cloud APIs. The pattern suggests that the industry is repeating the mistakes of early IoT, where security was an afterthought.

A 2025 report by the Government Accountability Office specifically flagged the cybersecurity of EV supply equipment as a major gap, noting that no mandatory federal standards exist. Several states have begun requiring UL 2901-2 certification, which includes basic network security testing, but compliance is far from universal.

Industry Response and Patch Timeline Concerns

XCharge has yet to issue a public statement as of this writing. In similar past cases, manufacturers have taken anywhere from a week to several months to release firmware patches, depending on the complexity of the fixes and the need for hardware revisions. The absence of interim mitigations is worrying. Organizations operating C6 chargers must assume compromise is possible and act preemptively. CISA’s advisory recommends contacting XCharge directly for support, but that offers little solace to hundreds of independent operators who may not monitor ICS alerts.

Fleet operators and site hosts should press their vendors hard for a timeline. The longer a critical patch is delayed, the greater the chance that exploit code appears on GitHub or in exploit kits. Given the 9.8 scores, these vulnerabilities likely require only minimal reverse-engineering to develop weaponized exploits.

Practical Mitigation Steps for Operators

If you operate XCharge C6 units, here’s your action plan:

  • Isolate: Segregate chargers from the rest of your network immediately. Use a separate VLAN with no access to sensitive systems. If the charger supports it, disable Wi-Fi and Bluetooth and rely only on wired Ethernet behind a firewall.
  • Monitor: Enable detailed logging and ship those logs to a SIEM. Watch for unusual outbound connections, especially to unknown IP addresses or domains, and for any escalation of privileges.
  • Harden: Disable any web interfaces or services that are not strictly necessary. Change all default credentials and use multi-factor authentication where possible. If the charger uses SSH or Telnet for maintenance, disable those or restrict access to specific IPs.
  • Plan: Prepare a firmware update process. When patches become available, apply them swiftly—preferably over an isolated update channel. Test updates on a non-production unit first.
  • Assess: Verify if your units are internet-facing and, if so, consider moving them behind a VPN or firewall. Use Shodan to search for your own chargers; you might be surprised what’s exposed.

For consumers and small businesses, the advice is simpler: if you own a C6, contact your installer or XCharge support immediately. Avoid using public Wi-Fi to manage the charger, and ensure the companion app is updated. Until patches arrive, limit network connectivity to the absolute minimum.

The Bigger Picture: Securing the Electric Highway

This advisory isn’t an isolated incident—it’s a canary in the coal mine. EV chargers are but one category of the 75 billion IoT devices projected to be online by 2025. Municipalities, utilities, and businesses are rushing to deploy chargers, often without the security budgets of IT departments. Government mandates, like the Federal Highway Administration’s requirement for state-approved EV infrastructure plans, focus on speed and coverage, sometimes overlooking cybersecurity in the fine print.

The Department of Energy and CISA have begun collaborating on guidance for EV charging cybersecurity, but the pace of regulation lags behind the attackers. In the UK, the Electric Vehicles (Smart Charge Points) Regulations 2021 set a meaningful baseline, yet similar federal rules in the U.S. remain voluntary. Meanwhile, security researchers keep finding critical bugs faster than manufacturers can fix them.

XCharge faces a critical test. How quickly and transparently the company responds will influence trust in its brand and, by extension, the entire sector. A prompt, clear patch release, coupled with a detailed post-mortem, would go a long way toward calming jittery fleet operators. A silent, slow response could embolden attackers to reverse-engineer the bugs—if they haven’t already.

A Call for Fundamental Change

The time has passed for treating EV chargers as glorified extension cords. They are powerful networked computers managing high-energy systems, and they require the same security rigor as any critical infrastructure endpoint. Manufacturers must adopt secure-by-design principles: remove debug interfaces, implement secure boot, encrypt firmware, and build over-the-air update mechanisms that are themselves tamper-proof.

For now, the burden falls on operators. Until concrete patches materialize, vigilance and network hygiene are the best defense. CISA’s warning is loud and clear: the internet is scanning for these devices, and three critical flaws are an open invitation. Don’t wait for a breach to act.