Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Insufficient session expiration vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Session Hijacking.
This issue affects Mobile Application: from 1.6.2 before 1.13.
AnalysisAI
Insufficient session expiration in the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application versions 1.6.2 through before 1.13 permits session hijacking by failing to invalidate session tokens after logout or inactivity. An authenticated attacker who obtains a valid session token can reuse it to access the victim's account data, resulting in high-confidence exposure (C:H) with no integrity or availability impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact against an energy sector mobile application warrants prompt patching given the sensitivity of the target environment.
Technical ContextAI
CWE-613 (Insufficient Session Expiration) describes a failure to adequately limit the lifetime of session tokens, meaning tokens remain valid server-side long after a user logs out or a reasonable idle timeout should have elapsed. The affected product is the TEİAŞ Mobile Application (CPE: cpe:2.3:a:turkiye_electricity_transmission_corporation_(tei̇aş):mobile_application:*:*:*:*:*:*:*:*), a mobile client used by Turkey's national electricity transmission operator. In this class of vulnerability, session management on the backend does not revoke or rotate tokens upon logout or expiry, so any party who captures or retains a token - through network interception, shared device access, log exposure, or token theft - can continue making authenticated API requests indefinitely. The CVSS network attack vector (AV:N) confirms the application communicates over network protocols where session tokens transit, amplifying the exposure window.
RemediationAI
The vendor has released a patch; users should upgrade the TEİAŞ Mobile Application to version 1.13 or later, which is confirmed as the fix boundary per ENISA EUVD-2026-31289 and the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0286. Update distribution should be pushed through the applicable mobile app stores, and administrators should verify that backend session invalidation logic is also updated in any associated server-side components, as CWE-613 typically requires a server-side fix rather than a client-only patch. If immediate upgrade is not feasible, compensating controls should include enforcing short absolute session timeouts on the server side (e.g., 15-30 minutes of inactivity) and implementing token revocation on explicit logout events, though these require backend changes. Advising users to explicitly log out after each session rather than simply closing the app reduces the window of token validity as a short-term measure, with the trade-off of increased friction. Organizations managing TEİAŞ application access for employees should consider enforcing mobile device management (MDM) policies that clear application data on lock, reducing residual token exposure from shared or lost devices.
More in Mobile Application
View allHardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers ac
Brute force exploitation of the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application (versions 1.6.2
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31289
GHSA-g5rh-53cq-px9w