ePower.ie CVE-2026-27778
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
AnalysisAI
Denial-of-service and credential brute-forcing vulnerabilities in ePower.ie's WebSocket API allow remote unauthenticated attackers to disrupt electric vehicle charger operations or gain unauthorized system access. The API accepts unlimited authentication attempts without rate limiting (CWE-307), enabling attackers to suppress critical charger telemetry, mis-route charging station data, or systematically guess credentials. CISA ICS-CERT has published an advisory (ICSA-26-062-07) indicating industrial control system impact. EPSS score of 0.07% (21st percentile) suggests low automated exploitation probability, and no active exploitation or public POC is identified at time of analysis.
Technical ContextAI
This vulnerability affects the WebSocket Application Programming Interface in ePower.ie charging infrastructure software (CPE: cpe:2.3:a:epower:epower.ie). WebSocket protocols provide full-duplex communication channels over TCP, commonly used for real-time data transmission in industrial IoT and EV charging networks. The root cause is CWE-307 (Improper Restriction of Excessive Authentication Attempts), a fundamental access control weakness where the API fails to implement throttling, account lockout, or CAPTCHA mechanisms on authentication endpoints. In ICS/SCADA environments like EV charging networks, this creates dual risks: availability impact through resource exhaustion (denial-of-service on the WebSocket service itself) and integrity impact through successful credential compromise affecting charger command-and-control functions. The CVSS 4.0 vector indicates network-accessible attack surface with no complexity barriers (AV:N/AC:L/PR:N), making this exploitable by any remote attacker without prerequisites.
RemediationAI
Organizations running ePower.ie should immediately contact the vendor via https://epower.ie/support/ to obtain patching guidance, as no specific fix version is confirmed in available data sources. Until a vendor patch is deployed, implement the following compensating controls in order of effectiveness: First, deploy a Web Application Firewall (WAF) or API gateway with rate limiting rules on the WebSocket authentication endpoint - configure progressive delays after 3-5 failed attempts from the same source IP (note: may impact legitimate users during credential typos, requires tuning). Second, restrict network access to the WebSocket API using firewall rules allowing only known charging station IP ranges or VPN-connected management clients - this blocks internet-wide brute-force attempts but requires maintaining an IP allowlist and may complicate remote diagnostics. Third, enable intrusion detection monitoring for repetitive WebSocket connection patterns from single sources (threshold: >10 auth attempts per minute) and configure automated blocking - introduces dependency on IDS/IPS infrastructure and may generate false positives during legitimate troubleshooting. Fourth, if feasible within ePower.ie architecture, implement mutual TLS authentication requiring client certificates for WebSocket connections - eliminates password brute-forcing entirely but requires certificate lifecycle management overhead. Monitor the CISA ICS advisory https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-07 and CSAF file https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-07.json for updated remediation guidance.
Unauthenticated remote attackers can impersonate electric vehicle charging stations in ePower.ie by connecting to expose
WebSocket session handling in charging station backends accepts duplicate session identifiers, allowing attackers to hij
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today