Skip to main content

Le Circuit Electrique CVE-2026-44383

| EUVDEUVD-2026-43096 HIGH
Insufficient Session Expiration (CWE-613)
2026-07-10 icscert GHSA-7wpg-27g9-f8vc
8.7
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, low-complexity, unauthenticated OCPP session abuse with no user interaction; impact is availability-only (A:H) with no confidentiality or integrity effect and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 10, 2026 - 23:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 23:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 23:22 vuln.today
cvss_changed
CVSS changed
Jul 10, 2026 - 23:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
Jul 10, 2026 - 22:52 vuln.today

DescriptionCVE.org

Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.

AnalysisAI

Backend resource exhaustion in Hydro-Québec's Le Circuit Electrique EV charging station backend (all versions prior to the June 2026 fix) lets remote unauthenticated attackers open multiple simultaneous OCPP sessions under a single charging station identifier, flooding the platform with rogue clients. Because the backend never enforces one active session per station ID, an attacker can spin up many spoofed OCPP clients and exhaust backend capacity, degrading or denying service to legitimate charging stations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach backend OCPP WebSocket endpoint
Delivery
Reuse or spoof valid station ID
Exploit
Open many duplicate sessions per ID
Execution
Backend accepts concurrent rogue clients
Persist
Exhaust session/resource capacity
Impact
Deny service to legitimate stations

Vulnerability AssessmentAI

Exploitation Exploitation requires the OCPP/WebSocket backend endpoint to be network-reachable and to accept multiple concurrent connections for the same charging station identifier - the specific weakness being that the backend does not reject or expire a duplicate session for an already-connected station ID (CWE-613). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VA:H, all other impacts N) scores 8.7 and cleanly matches the description: fully remote, low complexity, no authentication or user interaction, with impact limited exclusively to availability - no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker script repeatedly opens OCPP WebSocket connections to the backend, each authenticating with the same (or spoofed) charging station ID that the backend accepts without rejecting the prior session. By scaling this to many concurrent malicious clients, the attacker consumes backend session and resource capacity until legitimate charging stations can no longer connect or transact. …
Remediation Apply the vendor's June 2026 backend update, which per the EUVD version range ('<June_2026') is the release that fixes the duplicate-session flaw; because this is an operator-hosted backend, remediation is deployed by Hydro-Québec rather than by station owners, so confirm your platform is on the post-June-2026 build via the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory Le Circuit Electrique backend versions in production and establish incident response procedures for charging outages. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy