Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote, low-complexity, unauthenticated OCPP session abuse with no user interaction; impact is availability-only (A:H) with no confidentiality or integrity effect and no scope change.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.
AnalysisAI
Backend resource exhaustion in Hydro-Québec's Le Circuit Electrique EV charging station backend (all versions prior to the June 2026 fix) lets remote unauthenticated attackers open multiple simultaneous OCPP sessions under a single charging station identifier, flooding the platform with rogue clients. Because the backend never enforces one active session per station ID, an attacker can spin up many spoofed OCPP clients and exhaust backend capacity, degrading or denying service to legitimate charging stations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the OCPP/WebSocket backend endpoint to be network-reachable and to accept multiple concurrent connections for the same charging station identifier - the specific weakness being that the backend does not reject or expire a duplicate session for an already-connected station ID (CWE-613). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VA:H, all other impacts N) scores 8.7 and cleanly matches the description: fully remote, low complexity, no authentication or user interaction, with impact limited exclusively to availability - no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker script repeatedly opens OCPP WebSocket connections to the backend, each authenticating with the same (or spoofed) charging station ID that the backend accepts without rejecting the prior session. By scaling this to many concurrent malicious clients, the attacker consumes backend session and resource capacity until legitimate charging stations can no longer connect or transact. … |
| Remediation | Apply the vendor's June 2026 backend update, which per the EUVD version range ('<June_2026') is the release that fixes the duplicate-session flaw; because this is an operator-hosted backend, remediation is deployed by Hydro-Québec rather than by station owners, so confirm your platform is on the post-June-2026 build via the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory Le Circuit Electrique backend versions in production and establish incident response procedures for charging outages. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated
Denial-of-service exposure in the Hydro-Québec Le Circuit Électrique EV charging-station backend allows remote, unauthen
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43096
GHSA-7wpg-27g9-f8vc