Skip to main content

Evoke CSMS CVE-2026-50176

| EUVDEUVD-2026-39568 HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-06-25 icscert GHSA-5v82-xxfg-jqxw
8.7
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, low-complexity, unauthenticated WebSocket flooding yields availability impact (A:H); confidentiality/integrity left N since access compromise is credential-dependent and not guaranteed.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 25, 2026 - 22:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 25, 2026 - 22:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 25, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Jun 25, 2026 - 22:22 NVD
7.5 (HIGH) 8.7 (HIGH)
CVE Published
Jun 25, 2026 - 21:54 cve.org
HIGH 7.5
Analysis Generated
Jun 25, 2026 - 21:52 vuln.today

DescriptionCVE.org

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access.

AnalysisAI

Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management system) stems from its WebSocket API enforcing no rate limit on authentication requests, letting a remote, network-positioned attacker flood the authentication endpoint to exhaust resources or rapidly guess credentials for unauthorized access. CISA's ICS-CERT (advisory ICSA-26-176-02) coordinated this issue, which carries a CVSS 4.0 base of 8.7 driven by high availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed CSMS WebSocket endpoint
Delivery
Open authentication session
Exploit
Flood unthrottled auth requests
Execution
Exhaust resources or brute-force credentials
Impact
Deny service or gain unauthorized access

Vulnerability AssessmentAI

Exploitation The specific prerequisite is network reachability to the Evoke CSMS WebSocket authentication interface; per the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) no authentication, no privileges, and no user interaction are required, so against an exposed endpoint this is remote and unauthenticated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially aligned but incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Evoke CSMS WebSocket endpoint opens connections and submits authentication requests in a tight loop with no throttling to stop them. They either flood the endpoint until it exhausts resources and legitimate charge points can no longer connect (DoS), or they iterate through credential guesses at high speed to brute-force a valid account. …
Remediation No vendor-released patch version is identified in the available data, so consult the CISA advisory (https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02) and contact Evoke Systems (https://evokesystems.com/contact-us/) for fixed-version guidance and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Evoke CSMS and confirm whether exposed to external networks; apply immediate network-level restrictions to block untrusted inbound access to the authentication endpoint. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy