Skip to main content

Everon API CVE-2026-24696

HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-03-06 ics-cert@hq.dhs.gov
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 06, 2026 - 14:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 06, 2026 - 14:37 vuln.today
cvss_changed
CVSS changed
May 06, 2026 - 14:37 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 16:16 nvd
HIGH 7.5

DescriptionCVE.org

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.

AnalysisAI

Remote denial-of-service and credential brute-force attacks against Everon's api.everon.io WebSocket interface allow unauthenticated attackers to disrupt electric vehicle charging infrastructure by overwhelming the authentication endpoint with unlimited login attempts, suppressing or mis-routing charger telemetry data, or compromising accounts through password guessing. EPSS score is low (0.06%, 20th percentile) indicating limited observed exploitation activity, though the network-accessible, zero-authentication attack vector poses clear operational risk to charging station operators relying on this API for fleet management.

Technical ContextAI

This vulnerability affects the WebSocket API implementation (api.everon.io) used in Everon's electric vehicle charging infrastructure platform. WebSocket provides full-duplex communication channels over TCP, commonly used for real-time telemetry streaming from distributed charging stations. The CWE-307 classification identifies this as an Improper Restriction of Excessive Authentication Attempts weakness. The API's authentication mechanism fails to implement throttling, CAPTCHA challenges, account lockouts, or connection rate limiting on the WebSocket handshake or subsequent authentication frames. This design flaw in the application layer permits unlimited authentication requests from a single source or distributed sources without triggering protective measures. The CPE string cpe:2.3:a:everon:api.everon.io identifies the vendor as Everon and the vulnerable component as their cloud-based API service, though the version field shows a hyphen indicating version-specific details are not provided in the CPE.

RemediationAI

Organizations using Everon's api.everon.io WebSocket API should immediately consult CISA advisory ICSA-26-062-08 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08) and the CSAF document (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-08.json) for vendor-issued patches or service updates, as no specific fix version is independently confirmed in available data. Until patches are deployed, implement compensating controls including: restricting network access to the WebSocket endpoint using IP allowlisting to permit only known charging station source addresses and authorized management workstations, which reduces exposure but requires maintaining accurate IP inventories and may complicate mobile management scenarios; deploying a reverse proxy or web application firewall with aggressive rate limiting rules (e.g., maximum 5 authentication attempts per source IP per minute) to throttle brute-force attempts, though this may inadvertently block legitimate retry logic from charging stations experiencing intermittent connectivity; enabling comprehensive authentication logging and alerting on failed login patterns to detect ongoing attacks, accepting the operational overhead of log analysis; and implementing network-layer DDoS mitigation services from cloud providers or CDN services positioned in front of the API, which adds infrastructure cost but provides broader protection. Organizations should also audit account credentials to ensure strong, unique passwords resistant to dictionary attacks and enable multi-factor authentication if supported by future Everon updates.

Share

CVE-2026-24696 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy