Ev.Energy
CVE-2026-24445
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
AnalysisAI
Ev.Energy's WebSocket API fails to implement rate limiting on authentication attempts, enabling attackers to launch denial-of-service attacks against charger telemetry systems or conduct brute-force credential attacks without restriction. This vulnerability affects all unauthenticated network-based interactions with the affected application and has no available patch at this time.
Technical ContextAI
Classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts). Affects Ev.Energy. The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Missing WebSocket authentication — fifth CVE in the industrial platform WebSocket family. Same CWE-306 pattern enabling
Ev.Energy's WebSocket implementation accepts duplicate session identifiers from multiple endpoints, allowing attackers t
Ev.Energy charging stations expose authentication credentials through publicly accessible web-based mapping platforms, a
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today