CVE-2026-0778 Overview
CVE-2026-0778 is a missing authentication vulnerability affecting the Enel X JuiceBox 40 electric vehicle charging station. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations without requiring authentication. The flaw exists within the telnet service, which listens on TCP port 2000 by default. The issue results from the lack of authentication prior to allowing remote connections, enabling attackers to leverage this vulnerability to execute code in the context of the service account.
Critical Impact
Network-adjacent attackers can gain unauthorized remote code execution on JuiceBox 40 charging stations without authentication, potentially compromising critical EV charging infrastructure.
Affected Products
- Enel X JuiceBox 40 Charging Stations
Discovery Timeline
- 2026-01-23 - CVE-2026-0778 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-0778
Vulnerability Analysis
This vulnerability (tracked as ZDI-CAN-23285) stems from CWE-306: Missing Authentication for Critical Function. The telnet service running on the Enel X JuiceBox 40 charging station fails to implement proper authentication mechanisms before allowing remote connections. This design flaw enables any attacker within the adjacent network to connect directly to the telnet service on TCP port 2000 and execute arbitrary commands with the privileges of the service account.
The attack requires network adjacency, meaning the attacker must be on the same local network segment as the vulnerable charging station. This could include scenarios where attackers gain access to a building's network, parking facility network, or any shared network infrastructure where JuiceBox 40 units are deployed.
Root Cause
The root cause is a missing authentication mechanism in the telnet service implementation. The service accepts connections and processes commands without first verifying the identity or authorization of the connecting party. This is a fundamental security design flaw where a critical remote management interface lacks access controls.
Attack Vector
The attack vector is adjacent network-based, requiring the attacker to be positioned on the same network segment as the target device. An attacker can connect directly to TCP port 2000 on the JuiceBox 40 device using any telnet client. Once connected, the attacker can execute arbitrary commands with the privileges of the service account, potentially leading to:
- Full device compromise
- Manipulation of charging operations
- Lateral movement to other network devices
- Persistence mechanisms installation
- Denial of service attacks on charging infrastructure
The vulnerability can be exploited by establishing a direct telnet connection to the device on port 2000. Without authentication checks, the service accepts commands immediately upon connection, allowing full interaction with the device's operating environment. For detailed technical information, refer to the Zero Day Initiative Advisory ZDI-26-041.
Detection Methods for CVE-2026-0778
Indicators of Compromise
- Unexpected telnet connections to TCP port 2000 on JuiceBox 40 devices from unauthorized sources
- Unusual process execution or new services running on charging station devices
- Anomalous network traffic originating from EV charging infrastructure
- Unauthorized configuration changes on JuiceBox 40 units
Detection Strategies
- Monitor network traffic for telnet (TCP/2000) connections to JuiceBox 40 charging stations
- Implement network segmentation alerts for traffic crossing into EV charging infrastructure VLANs
- Deploy intrusion detection signatures for unauthorized telnet access attempts
- Audit logs on network infrastructure devices for connections to known JuiceBox 40 IP addresses on port 2000
Monitoring Recommendations
- Enable logging on network firewalls and switches monitoring traffic to EV charging equipment
- Implement network access control (NAC) to restrict which devices can communicate with charging stations
- Deploy network behavior analysis tools to identify anomalous connections to IoT/embedded devices
- Regularly audit device inventory and network configurations for exposed telnet services
How to Mitigate CVE-2026-0778
Immediate Actions Required
- Isolate JuiceBox 40 charging stations on a dedicated, segmented network VLAN
- Implement firewall rules blocking external access to TCP port 2000 on affected devices
- Deploy network access controls to restrict which hosts can communicate with charging infrastructure
- Monitor for any suspicious telnet activity to affected devices
Patch Information
Consult the Zero Day Initiative Advisory ZDI-26-041 for the latest patch availability and vendor guidance. Contact Enel X directly for firmware updates addressing this vulnerability.
Workarounds
- Block TCP port 2000 at the network perimeter and internal segment boundaries using firewall rules
- Implement strict network segmentation isolating EV charging infrastructure from general network access
- Deploy 802.1X network authentication to prevent unauthorized devices from accessing charging station networks
- Consider disabling the telnet service if operationally feasible and alternative management methods exist
# Example firewall rule to block telnet access to JuiceBox devices (adjust IP range as needed)
# iptables example for Linux-based network appliances
iptables -A FORWARD -p tcp --dport 2000 -d 192.168.10.0/24 -j DROP
iptables -A INPUT -p tcp --dport 2000 -j DROP
# Log attempts for monitoring
iptables -A FORWARD -p tcp --dport 2000 -d 192.168.10.0/24 -j LOG --log-prefix "JUICEBOX_TELNET_BLOCKED: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
