Compleo Security Advisory on Vulnerabilities in P5-Based Products
Overall Severity: HIGH
Advisory-ID CCS-SA-2026-0001 | Version 1 · final | Current Release 2026-06-22 | Publisher Compleo Charging Solutions GmbH & Co. KG
Overview and general notes
Summary
This advisory describes the vulnerabilities CCS-VUL-2026-0001, CCS-VUL-2026-0002, CCS-VUL-2026-0004, and CCS-VUL-2026-0005 in P5-based products. Firmware updates are already available for all vulnerabilities except CCS-VUL-2026-0002; software version 6.18.4, which addresses CCS-VUL-2026-0002, is expected to be released shortly.
Impact
Depending on the attack path, the vulnerabilities described may affect the confidentiality and integrity of device data, configuration data, and access credentials. Some vulnerabilities require physical access to the device electronics; others require network access or authenticated access with high privileges. Successful exploitation may allow, among other things, reading or modifying local storage contents, using a vendor remote service access, or bypassing intended restrictions for SSH keys.
Mitigation
Compleo recommends operating affected devices only in protected networks and restricting network access to required communication relationships. Device management and web interfaces should not be reachable from public or untrusted networks. Operators should install available firmware updates promptly and, in particular, ensure that affected P5 devices are updated to a firmware version that fixes the respective vulnerability.
Remediation
Compleo recommends updating affected P5-based products to the latest available firmware version.
| Vulnerability | Affected products / versions | Remediation / recommended version |
|---|---|---|
| CCS-VUL-2026-0001: Unencrypted Memory | P5 devices with factory-installed software version up to and including 6.14.3 and installed software version up to and including 6.14.3 | Update to software version 6.15.0 or later |
| CCS-VUL-2026-0002: Open Recovery Mode | P5 devices with factory-installed software version up to and including 6.15.3 and installed software version up to and including 6.18.3 | Devices factory-installed with software version 6.16.0 or later are not affected; update other affected devices to software version 6.18.4 or later |
| CCS-VUL-2026-0004: SSH Key Backdoor | P5 devices with factory-installed software version up to and including 6.14.3 and installed software version up to and including 6.14.3 | Update to software version 6.15.0 or later |
| CCS-VUL-2026-0005: Authenticated SSH Key Injection | P5 devices with installed software version up to and including 6.18.2 | Update to software version 6.18.3 or later |
To fully remediate all vulnerabilities described in this advisory, Compleo recommends updating to software version 6.18.4 or later, where this version is available for the respective product.
P5 Platform and Factory-Installed Software Version
The P5 platform includes Compleo eTower across all production years, Compleo SOLO from production year 2021, and Compleo DUO from production year 2022. Compleo SOLO was not explicitly named in the original vulnerability report; its affected status results from the vendor’s internal analysis of the shared P5 platform. Software version 6.15.0 or later has been installed on P5 devices at the factory since November 2025. The product model in this advisory distinguishes between the factory-installed software version and the currently installed software version. For CCS-VUL-2026-0001 and CCS-VUL-2026-0004, the relevant factory-installed software threshold is 6.15.0. For CCS-VUL-2026-0002, the relevant factory-installed software threshold is 6.16.0; devices delivered from the factory with software version up to and including 6.15.3 are treated separately from devices delivered with software version 6.16.0 or later. Where this advisory refers to the factory-installed software version up to and including 6.14.3, this means devices that were delivered from the factory with software version 6.14.3 or earlier.
Classification of Physical Access
The affected products are intended for operation in public spaces. Physical access to the outer enclosure is therefore expected during intended operation. Where this advisory lists physical access as an attack prerequisite, this does not mean mere proximity to the device, but unauthorised access to internal electronics, storage media, or service and debug interfaces after opening or tampering with the enclosure, maintenance doors, or service flaps.
General Recommendation
Compleo recommends operating charging infrastructure in protected, segmented networks and avoiding direct reachability from the Internet. Management and service interfaces should be protected by firewalls, access restrictions, and appropriate operational processes. Maintenance doors, service flaps, and enclosure access points to internal electronics should remain closed during regular operation and be secured against unauthorised opening. Operators should disable services that are not required and install available software updates promptly.
Product Description
Compleo eTower, Compleo SOLO, and Compleo DUO are charging stations for electric vehicles. DUO and SOLO are AC charging stations with a charging capacity of up to 22 kW per charging point; eTower is a DC high-power charging station with a charging capacity of up to 200 kW. The products are designed for networked operation and, depending on the configuration, can support backend communication, user authorisation, and billing functions compliant with German calibration law. The variants listed in this advisory are based on the shared P5 platform.
Vulnerabilities
| Vulnerability ID | Description | Severity | Affected | Available fix / recommendation |
|---|---|---|---|---|
| CVE-2026-10790 CCS-VUL-2026-0001 | CCS-VUL-2026-0001: Unencrypted Memory | MEDIUM CVSS 4.0: 6.8 |
|
|
| CVE-2026-10791 CCS-VUL-2026-0002 | CCS-VUL-2026-0002: Open Recovery Mode | MEDIUM CVSS 4.0: 5.1 |
|
|
| CVE-2026-10793 CCS-VUL-2026-0004 | CCS-VUL-2026-0004: SSH Key Backdoor | HIGH CVSS 4.0: 8.1 |
|
|
| CVE-2026-10794 CCS-VUL-2026-0005 | CCS-VUL-2026-0005: Authenticated SSH Key Injection | HIGH CVSS 4.0: 8.5 |
|
|
Remediation and mitigations
Until the update has been installed, prevent unauthorised opening of or tampering with the enclosure, maintenance doors, and service flaps. Operation in public spaces remains the intended use case; this measure is intended to protect the internal electronics and storage media, not to prevent regular access to the outer enclosure.
Affected target group:
P5 products with factory-installed software version up to and including 6.14.3 and installed software version up to and including 6.14.3.
Target date / date: 2026-06-19
Update the affected product to software version 6.15.0 or later. Since software version 6.15.0, the issue has been fixed by using Secure Boot and Full Disk Encryption; Full Disk Encryption of the eMMC is also rolled out via software update for devices that were delivered from the factory with software version 6.14.3 or earlier.
Affected target group:
P5 products with factory-installed software version up to and including 6.14.3 and installed software version up to and including 6.14.3.
| Status | Products / product groups |
|---|---|
| Known not affected |
|
Details
CVSS 4.0 | 6.8 - Severity: MEDIUM
Referenz: CVE-2026-10790 | CCS-VUL-2026-0001 | CCS-VUL-2026-0001: Unencrypted Memory | Disclosure Date: 2026-06-22
Vulnerability Summary
With physical access to the device, the contents of the eMMC can be read externally using suitable hardware tools because, in affected versions, these contents are not stored in encrypted form.
Technical Description
The eMMC contents can be read and modified externally after physical access to the device.
Prerequisites
Exploitation requires physical access to the electronics inside the device as well as substantial hardware and software expertise.
Impact
An attacker with physical access to the device electronics can read unencrypted eMMC contents. This may disclose sensitive information or operational data. In addition, offline modifications to stored data may affect the integrity of the device.
Assessment Context
The assessment takes into account that exploitation requires physical access to the device as well as suitable hardware and software expertise. The vulnerability is not remotely exploitable. The CVSS assessment primarily reflects the risk to the confidentiality and integrity of locally stored data. Since software version 6.15.0, the risk has been addressed by Secure Boot and Full Disk Encryption.
Remediation
Since software version 6.15.0, the issue has been fixed by using Secure Boot and Full Disk Encryption. Full Disk Encryption of the eMMC is also rolled out via software update for devices that were delivered from the factory with software version 6.14.3 or earlier.
Assessment and classification
CWE-312 · Cleartext Storage of Sensitive Information
CWE-522 · Insufficiently Protected Credentials
CVSS vector: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A
Details
CVSS 4.0 | 5.1 Severity - MEDIUM
CVE-2026-10791 | CCS-VUL-2026-0002 | CCS-VUL-2026-0002: Open Recovery Mode | Disclosure Date: 2026-06-22
Vulnerability Summary
With physical access to the device, the processor module can be placed into recovery mode. In this mode, it is possible to execute custom code in memory and thereby access device data.
Technical Description
The processor can be placed into recovery mode or serial download mode, allowing arbitrary code to be started in RAM and data on the eMMC to be accessed.
Prerequisites
Exploitation requires physical access to the device as well as very extensive hardware and software expertise and comprehensive technical understanding of the system.
Impact
An attacker with physical access can place the processor module into recovery mode or serial download mode and execute custom code in memory. This can allow access to device data; depending on the device state, security mechanisms may also be bypassed or local data manipulated.
Assessment Context
The assessment takes into account that exploitation requires physical access to the electronics, very extensive hardware and software expertise, and deep technical understanding of the device. Exploitation over the network is not possible. For devices delivered from the factory with software version 6.16.0 or later, the risk is addressed by Secure Boot. For older factory-installed software versions, recovery mode is disabled from software version 6.18.4 onward.
Remediation
For devices delivered from the factory with software version 6.16.0 or later, the issue has been fixed since 6.16.0 by using Secure Boot. For devices delivered from the factory with software version 6.15.3 or earlier, the fix is implemented from software version 6.18.4 onward by disabling recovery mode.
Assessment and classification
CWE-312 · Cleartext Storage of Sensitive Information
CWE-1263 · Improper Physical Access Control
CVSS vector: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Remediation and mitigations
Until the update has been installed, prevent unauthorised opening of or tampering with the enclosure, maintenance doors, and service flaps, as well as access to internal service or debug interfaces that can be used to trigger recovery mode or serial download mode.
Affected target group:
P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.15.0 up to and including 6.15.3.
P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.16.0 up to and including 6.18.2.
P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.16.0 up to and including 6.18.2.
P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.18.3.
P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.15.0 up to and including 6.15.3.
P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.18.3.
P5 products with factory-installed software version up to and including 6.14.3 and installed software version up to and including 6.14.3.
Target date / date: 2026-06-19
For devices delivered from the factory with software version 6.16.0 or later, the issue has been fixed since 6.16.0 by using Secure Boot. Update affected P5 devices that were delivered from the factory with software version 6.15.3 or earlier to software version 6.18.4 or later; this disables recovery mode.
Affected target group:
P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.15.0 up to and including 6.15.3.
P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.16.0 up to and including 6.18.2.
P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.16.0 up to and including 6.18.2.
P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.18.3.
P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.15.0 up to and including 6.15.3.
P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.18.3.
P5 products with factory-installed software version up to and including 6.14.3 and installed software version up to and including 6.14.3.
| Status | Products / product groups |
|---|---|
| Known not affected |
|
Remediation and Mitigation
Restrict network access to SSH and management interfaces to trusted management networks. Ensure that remote service access is not reachable from untrusted networks.
Affected target group:
P5 products with factory-installed software version up to and including 6.14.3 and installed software version up to and including 6.14.3.
Target date / date: 2026-06-19
Update the affected product to software version 6.15.0 or later. Since this version, the remote service function is disabled by default and can be enabled by the customer if required.
Affected target group:
P5 products with factory-installed software version up to and including 6.14.3 and installed software version up to and including 6.14.3.
Details
CVSS 4.0 | 8.1 - Severity: HIGH
CVE-2026-10793 · CCS-VUL-2026-0004 | CCS-VUL-2026-0004: SSH Key Backdoor | Disclosure Date: 2026-06-22
Vulnerability Summary
In affected versions, a vendor-secured remote service access intended for service purposes is enabled by default. The access can be used with a designated SSH certificate.
Technical Description
The authorized_keys file contains a cert-authority configuration that allows a matching certificate to be used for login. The SSH service is enabled by default.
Prerequisites
Exploitation requires network access and a matching SSH certificate signed by the CA, or a compromised key.
Impact
An attacker with network access and a matching SSH certificate signed by the configured CA, or a compromised key, can use the vendor remote service access. This may disclose confidential data and allow administrative changes to the device. The impact primarily affects the confidentiality and integrity of the affected device.
Assessment Context
The assessment takes into account that access is not possible through network reachability alone, but additionally requires a matching SSH certificate or compromised key material. The attack complexity is therefore rated higher. Since software version 6.15.0, the remote service function is disabled by default and can be explicitly enabled by the customer if required.
Remediation
Since software version 6.15.0, the remote service function is disabled by default and can be enabled by the customer if required.
Assessment and classification
CWE-321 · Use of Hard-coded Cryptographic Key
CWE-798 · Use of Hard-coded Credentials
CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Details
CVSS 4.0 8.5 - Schweregrad: HIGH
CVE-2026-10794 · CCS-VUL-2026-0005 | CCS-VUL-2026-0005: Authenticated SSH Key Injection | Disclosure Date: 2026-06-22
Vulnerability Summary
An authenticated user with appropriate privileges can inject additional SSH key data through the SSH key input field of the web application which is intended for configuration of load management clusters. This can bypass intended restrictions for configured SSH keys.
Technical Description
The web application allows SSH key injection via line breaks in the input field, enabling an additional key to be configured without the intended restrictions.
Prerequisites
Exploitation requires a valid login to the web application with high privileges.
Impact
An authenticated user with high privileges can configure additional SSH key data through the SSH key input field and thereby bypass intended restrictions for SSH keys. This may result in unauthorised or less restricted SSH access and may affect the confidentiality and integrity of the device.
Assessment Context
The assessment takes into account that exploitation requires a valid login to the web application with high privileges. The vulnerability is therefore not exploitable without prior authentication. The risk is particularly relevant if administrative accounts have been compromised or if multiple persons have privileged access to the web application. The fix is included in software version 6.18.3.
Remediation
Since software version 6.18.3, input validation has been tightened.
Assessment and classification
CWE-93 · Improper Neutralization of CRLF Sequences
CWE-78 · Improper Neutralization of Special Elements used in an OS Command
CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A
Remediation and mitigation
Restrict access to the web and administration interface to trusted management networks. Grant high privileges only to trusted administrators and check configured SSH keys for unexpected entries.
Affected target group:
P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.15.0 up to and including 6.15.3.
P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.16.0 up to and including 6.18.2.
P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.16.0 up to and including 6.18.2.
P5 products with factory-installed software version 6.16.0 or later and installed software version 6.16.0 up to and including 6.18.2.
P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.15.0 up to and including 6.15.3.
P5 products with factory-installed software version up to and including 6.14.3 and installed software version up to and including 6.14.3.
Target date / date: 2026-06-19
The fix is included in software version 6.18.3. Update the affected product to software version 6.18.3 or later.
Affected target group:
P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.15.0 up to and including 6.15.3.
P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.16.0 up to and including 6.18.2.
P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.16.0 up to and including 6.18.2.
P5 products with factory-installed software version 6.16.0 or later and installed software version 6.16.0 up to and including 6.18.2.
P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.15.0 up to and including 6.15.3.
P5 products with factory-installed software version up to and including 6.14.3 and installed software version up to and including 6.14.3.
Affected product groups
| Product group | Products |
|---|---|
| P5 products with factory-installed software version up to and including 6.14.3 and installed software version up to and including 6.14.3. |
|
| P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.15.0 up to and including 6.15.3. |
|
| P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.16.0 up to and including 6.18.2. |
|
| P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.18.3. |
|
| P5 products with factory-installed software version up to and including 6.14.3 and installed software version 6.18.4 or later. |
|
| P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.15.0 up to and including 6.15.3. |
|
| P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.16.0 up to and including 6.18.2. |
|
| P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.18.3. |
|
| P5 products with factory-installed software version 6.15.0 up to and including 6.15.3 and installed software version 6.18.4 or later. |
|
| P5 products with factory-installed software version 6.16.0 or later and installed software version 6.16.0 up to and including 6.18.2. |
|
| P5 products with factory-installed software version 6.16.0 or later and installed software version 6.18.3. |
|
| P5 products with factory-installed software version 6.16.0 or later and installed software version 6.18.4 or later. |
|
Acknowledgments
Reported as part of coordinated vulnerability disclosure. Names: S. Dietz, T. Weber. Organisation: CyberDanube Security Research.
Revision history
| Version | Date | Summary |
|---|---|---|
| 1 | 2026-06-17 12:00 UTC | Final publication of the advisory. |
References and contact
Compleo Charging Solutions GmbH & Co. KG
Compleo Product Security Incident Response Team (PSIRT), Ezzestraße 8, 44379 Dortmund, Germany
Issuing authority: Compleo Product Security Incident Response Team (PSIRT)
| Category | Description | URL |
|---|---|---|
| self | CCS-SA-2026-0001: Compleo Security Advisory on Vulnerabilities in P5-Based Products - CSAF | https://www.compleo-charging.com/fileadmin/Documentcenter/Security_advisory/ccs-sa-2026-0001.zip |
| self | CCS-SA-2026-0001: Compleo Security Advisory zu Schwachstellen in P5-basierten Produkten - HTML (German) | https://www.compleo-charging.com/produkte/document-center/security-advisory-1 |
| self | CCS-SA-2026-0001: Compleo Security Advisory on Vulnerabilities in P5-Based Products - HTML (English) | https://www.compleo-charging.com/en/products/document-centre/security-advisory-1 |
| external | Firmware downloads and release notes for Compleo firmware | https://vaylens.atlassian.net/wiki/spaces/CK/pages/772046982/Firmware+bereitgestellt+von+Compleo |
| external | Support and contact page (German) | https://www.compleo-charging.com/beratung |
| external | Support and contact page (English) |
Technical document data
CSAF-Version: 2.1
Category: csaf_security_advisory
Initial release: 2026-06-17T12:00:00Z
TLP: CLEAR — Publicly released; distribution without restriction is permitted.
Namespace: https://www.compleo-charging.com/
Schema: https://docs.oasis-open.org/csaf/csaf/v2.1/schema/csaf.json