An authenticated, low-privileged attacker can obtain credentials stored on the charge controller including the manufacturer password.
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.