EUVD-2026-13855CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Analysis
The CTEK ChargePortal WebSocket API contains a critical rate limiting vulnerability that permits unlimited authentication attempts. This flaw enables attackers to either launch denial-of-service attacks by overwhelming the system with authentication requests that suppress legitimate charger telemetry data, or conduct brute-force attacks to compromise user credentials and gain unauthorized system access. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all CTEK ChargePortal deployments and assess network exposure; implement network-level access controls to restrict WebSocket API endpoints. Within 7 days: Deploy WAF rules to rate-limit authentication attempts; enable enhanced logging and monitoring for suspicious authentication patterns; notify CTEK for patch timeline. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today