Skip to main content

Eparking Fi EUVDEUVD-2026-13859

| CVE-2026-32663 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-03-20 icscert GHSA-365r-wjfh-hwpv
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
May 06, 2026 - 18:22 NVD
HIGH MEDIUM
CVSS changed
May 06, 2026 - 18:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
EUVD ID Assigned
Mar 20, 2026 - 23:16 euvd
EUVD-2026-13859
Analysis Generated
Mar 20, 2026 - 23:16 vuln.today
CVE Published
Mar 20, 2026 - 22:59 nvd
HIGH 7.3

DescriptionCVE.org

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

AnalysisAI

A session management vulnerability exists in the WebSocket backend of IGL Technologies' eparking.fi platform that allows multiple endpoints to connect using the same charging station identifier. An unauthenticated remote attacker can hijack legitimate charging station sessions by connecting with predictable session identifiers, enabling them to intercept backend commands, authenticate as other users, or cause denial-of-service by overwhelming the backend with concurrent session requests. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Predict charging station session identifier
Delivery
Connect WebSocket with known identifier
Exploit
Displace legitimate station connection
Execution
Receive backend commands intended for victim
Impact
Execute unauthorized actions or cause denial-of-service

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker can exploit the WebSocket backend by connecting with predictable or known charging station identifiers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 7.3 (High severity) reflects the network-based attack vector (AV:N), low attack complexity (AC:L), and no required privileges (PR:N) or user interaction (UI:N), making this vulnerability highly accessible to remote attackers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies exposed WebSocket endpoints for an eparking.fi charging infrastructure deployment through internet scanning. By analyzing network traffic or testing sequential station identifiers, the attacker determines the predictable format used for charging station session identifiers. …
Remediation Consult the CISA ICS-CERT advisory ICSA-26-078-08 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08 for official remediation guidance from IGL Technologies regarding patches or configuration changes to enforce unique session binding per charging station. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all eparking.fi deployments and assess exposure; enable enhanced logging on WebSocket connections and backend authentication systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-13859 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy