Everon API CVE-2026-24696
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
AnalysisAI
Remote denial-of-service and credential brute-force attacks against Everon's api.everon.io WebSocket interface allow unauthenticated attackers to disrupt electric vehicle charging infrastructure by overwhelming the authentication endpoint with unlimited login attempts, suppressing or mis-routing charger telemetry data, or compromising accounts through password guessing. EPSS score is low (0.06%, 20th percentile) indicating limited observed exploitation activity, though the network-accessible, zero-authentication attack vector poses clear operational risk to charging station operators relying on this API for fleet management.
Technical ContextAI
This vulnerability affects the WebSocket API implementation (api.everon.io) used in Everon's electric vehicle charging infrastructure platform. WebSocket provides full-duplex communication channels over TCP, commonly used for real-time telemetry streaming from distributed charging stations. The CWE-307 classification identifies this as an Improper Restriction of Excessive Authentication Attempts weakness. The API's authentication mechanism fails to implement throttling, CAPTCHA challenges, account lockouts, or connection rate limiting on the WebSocket handshake or subsequent authentication frames. This design flaw in the application layer permits unlimited authentication requests from a single source or distributed sources without triggering protective measures. The CPE string cpe:2.3:a:everon:api.everon.io identifies the vendor as Everon and the vulnerable component as their cloud-based API service, though the version field shows a hyphen indicating version-specific details are not provided in the CPE.
RemediationAI
Organizations using Everon's api.everon.io WebSocket API should immediately consult CISA advisory ICSA-26-062-08 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08) and the CSAF document (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-08.json) for vendor-issued patches or service updates, as no specific fix version is independently confirmed in available data. Until patches are deployed, implement compensating controls including: restricting network access to the WebSocket endpoint using IP allowlisting to permit only known charging station source addresses and authorized management workstations, which reduces exposure but requires maintaining accurate IP inventories and may complicate mobile management scenarios; deploying a reverse proxy or web application firewall with aggressive rate limiting rules (e.g., maximum 5 authentication attempts per source IP per minute) to throttle brute-force attempts, though this may inadvertently block legitimate retry logic from charging stations experiencing intermittent connectivity; enabling comprehensive authentication logging and alerting on failed login patterns to detect ongoing attacks, accepting the operational overhead of log analysis; and implementing network-layer DDoS mitigation services from cloud providers or CDN services positioned in front of the API, which adds infrastructure cost but provides broader protection. Organizations should also audit account credentials to ensure strong, unique passwords resistant to dictionary attacks and enable multi-factor authentication if supported by future Everon updates.
More in Api Everon Io
View allUnauthenticated remote attackers can impersonate electric vehicle charging stations in Everon's api.everon.io platform v
WebSocket session management in charging station backends allows multiple connections using identical session identifier
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today