Skip to main content

ePower.ie CVE-2026-27778

HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-03-06 ics-cert@hq.dhs.gov
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 06, 2026 - 14:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 06, 2026 - 14:52 vuln.today
cvss_changed
CVSS changed
May 06, 2026 - 14:52 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 00:16 nvd
HIGH 7.5

DescriptionCVE.org

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.

AnalysisAI

Denial-of-service and credential brute-forcing vulnerabilities in ePower.ie's WebSocket API allow remote unauthenticated attackers to disrupt electric vehicle charger operations or gain unauthorized system access. The API accepts unlimited authentication attempts without rate limiting (CWE-307), enabling attackers to suppress critical charger telemetry, mis-route charging station data, or systematically guess credentials. CISA ICS-CERT has published an advisory (ICSA-26-062-07) indicating industrial control system impact. EPSS score of 0.07% (21st percentile) suggests low automated exploitation probability, and no active exploitation or public POC is identified at time of analysis.

Technical ContextAI

This vulnerability affects the WebSocket Application Programming Interface in ePower.ie charging infrastructure software (CPE: cpe:2.3:a:epower:epower.ie). WebSocket protocols provide full-duplex communication channels over TCP, commonly used for real-time data transmission in industrial IoT and EV charging networks. The root cause is CWE-307 (Improper Restriction of Excessive Authentication Attempts), a fundamental access control weakness where the API fails to implement throttling, account lockout, or CAPTCHA mechanisms on authentication endpoints. In ICS/SCADA environments like EV charging networks, this creates dual risks: availability impact through resource exhaustion (denial-of-service on the WebSocket service itself) and integrity impact through successful credential compromise affecting charger command-and-control functions. The CVSS 4.0 vector indicates network-accessible attack surface with no complexity barriers (AV:N/AC:L/PR:N), making this exploitable by any remote attacker without prerequisites.

RemediationAI

Organizations running ePower.ie should immediately contact the vendor via https://epower.ie/support/ to obtain patching guidance, as no specific fix version is confirmed in available data sources. Until a vendor patch is deployed, implement the following compensating controls in order of effectiveness: First, deploy a Web Application Firewall (WAF) or API gateway with rate limiting rules on the WebSocket authentication endpoint - configure progressive delays after 3-5 failed attempts from the same source IP (note: may impact legitimate users during credential typos, requires tuning). Second, restrict network access to the WebSocket API using firewall rules allowing only known charging station IP ranges or VPN-connected management clients - this blocks internet-wide brute-force attempts but requires maintaining an IP allowlist and may complicate remote diagnostics. Third, enable intrusion detection monitoring for repetitive WebSocket connection patterns from single sources (threshold: >10 auth attempts per minute) and configure automated blocking - introduces dependency on IDS/IPS infrastructure and may generate false positives during legitimate troubleshooting. Fourth, if feasible within ePower.ie architecture, implement mutual TLS authentication requiring client certificates for WebSocket connections - eliminates password brute-forcing entirely but requires certificate lifecycle management overhead. Monitor the CISA ICS advisory https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-07 and CSAF file https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-07.json for updated remediation guidance.

Share

CVE-2026-27778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy