Ev.Energy
CVE-2026-25774
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
AnalysisAI
Ev.Energy charging stations expose authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated remote attackers to obtain access identifiers. An attacker with these credentials could potentially intercept or manipulate charging sessions and related data. No patch is currently available for this exposure.
Technical ContextAI
Classified as CWE-522 (Insufficiently Protected Credentials). Affects Ev.Energy. Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Missing WebSocket authentication — fifth CVE in the industrial platform WebSocket family. Same CWE-306 pattern enabling
Ev.Energy's WebSocket API fails to implement rate limiting on authentication attempts, enabling attackers to launch deni
Ev.Energy's WebSocket implementation accepts duplicate session identifiers from multiple endpoints, allowing attackers t
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today