CVE-2026-22099 in DC-80info

Summary

by MITRE • 07/13/2026

The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

This vulnerability represents a critical security flaw in wireless charging infrastructure where Bluetooth communication lacks proper authentication mechanisms. The absence of authentication allows any nearby attacker to execute arbitrary commands against the charging station through unsecured Bluetooth interfaces. This weakness directly violates fundamental security principles and creates multiple attack vectors for malicious actors seeking to compromise charging station operations.

The technical implementation flaw stems from insufficient access control measures within the Bluetooth protocol stack of the charging station. When authentication is not enforced, all Bluetooth commands become publicly accessible, enabling unauthorized users to manipulate device functionality without proper credentials or authorization. This vulnerability falls under the category of weak authentication mechanisms as defined by CWE-287, where systems fail to adequately verify user identities before granting access to sensitive functions.

The operational impact of this vulnerability extends beyond simple unauthorized access. Attackers can exploit this weakness to obtain sensitive information from the charging station, potentially including device identifiers, user data, or network configuration details. The ability to trigger device reboots creates opportunities for denial-of-service attacks that could disrupt charging services and compromise user experience. Additionally, the capability to push firmware update URLs allows attackers to potentially install malicious software or redirect legitimate updates to compromised versions, creating persistent security risks.

This vulnerability aligns with several ATT&CK framework techniques including T1071.004 for application layer protocol usage and T1566 for credential access through wireless communications. The lack of authentication creates a pathway for lateral movement within charging infrastructure networks and could enable attackers to gain deeper system control. The exposure of sensitive information leakage represents a data breach risk that could compromise user privacy and device integrity.

Mitigation strategies should focus on implementing robust Bluetooth authentication mechanisms including strong cryptographic authentication protocols such as Bluetooth 5.0 or later with secure pairing procedures. Device manufacturers must ensure proper access control enforcement at the Bluetooth interface level, requiring valid credentials before executing sensitive operations. Network segmentation should isolate charging stations from critical infrastructure, and regular security audits should verify that authentication mechanisms remain effective against evolving threats. Additionally, implementing secure firmware update mechanisms with cryptographic signatures will prevent unauthorized firmware modifications while maintaining proper device integrity controls.

The vulnerability demonstrates a fundamental gap in wireless charging security standards and highlights the importance of applying defense-in-depth principles to IoT devices. Organizations deploying charging infrastructure must conduct comprehensive security assessments to identify similar authentication weaknesses in connected devices and establish secure communication protocols that protect against unauthorized access and manipulation of critical charging operations.

Responsible

DIVD

Reservation

01/06/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00247

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!