Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
AnalysisAI
A session management vulnerability exists in the WebSocket backend of IGL Technologies' eparking.fi platform that allows multiple endpoints to connect using the same charging station identifier. An unauthenticated remote attacker can hijack legitimate charging station sessions by connecting with predictable session identifiers, enabling them to intercept backend commands, authenticate as other users, or cause denial-of-service by overwhelming the backend with concurrent session requests. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Remote unauthenticated attacker can exploit the WebSocket backend by connecting with predictable or known charging station identifiers. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS score of 7.3 (High severity) reflects the network-based attack vector (AV:N), low attack complexity (AC:L), and no required privileges (PR:N) or user interaction (UI:N), making this vulnerability highly accessible to remote attackers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies exposed WebSocket endpoints for an eparking.fi charging infrastructure deployment through internet scanning. By analyzing network traffic or testing sequential station identifiers, the attacker determines the predictable format used for charging station session identifiers. … |
| Remediation | Consult the CISA ICS-CERT advisory ICSA-26-078-08 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08 for official remediation guidance from IGL Technologies regarding patches or configuration changes to enforce unique session binding per charging station. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all eparking.fi deployments and assess exposure; enable enhanced logging on WebSocket connections and backend authentication systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Eparking Fi
View allUnauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations a
Unlimited authentication attempts against the eParking.fi WebSocket API enable network-based denial-of-service attacks t
A web-based mapping platform exposes charging station authentication identifiers publicly, allowing unauthenticated netw
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13859
GHSA-365r-wjfh-hwpv