Skip to main content

Le Circuit Électrique EUVDEUVD-2026-43095

| CVE-2026-42952 HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-07-10 icscert GHSA-88vc-rc72-29f3
8.7
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, unauthenticated, low-complexity abuse of an unthrottled auth endpoint whose stated impact is denial-of-service, so A:H with C:N/I:N; the official vector's VI:H conflicts with the DoS description.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 10, 2026 - 23:33 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 23:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 23:22 vuln.today
cvss_changed
CVSS changed
Jul 10, 2026 - 23:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
Jul 10, 2026 - 22:54 vuln.today

DescriptionCVE.org

Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack.

AnalysisAI

Denial-of-service exposure in the Hydro-Québec Le Circuit Électrique EV charging-station backend allows remote, unauthenticated attackers to hammer the authentication endpoint without rate limiting, degrading or exhausting the service that charging stations rely on. The flaw (CWE-307, missing throttling of repeated auth attempts) affects all backend versions prior to the June 2026 fix and carries a CVSS 4.0 base score of 8.7. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach backend auth endpoint over network
Delivery
Script repeated authentication requests
Exploit
Bypass absent throttling controls
Execution
Flood or brute-force auth service
Impact
Exhaust resources, deny legitimate stations

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against the authentication endpoint of the Le Circuit Électrique charging-station backend, per CVSS AV:N/AC:L/AT:N/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately strong but internally inconsistent, and this should be flagged. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker with no credentials scripts a high rate of authentication requests against the charging-station backend's login endpoint; because no throttling exists, the requests are accepted indefinitely, exhausting authentication resources and preventing legitimate stations from authorizing charging sessions. The same lack of throttling would also permit unlimited automated credential guessing. …
Remediation Because this is a vendor-hosted backend, the fix is applied server-side by Hydro-Québec: per the EUVD record the issue is resolved as of the June 2026 backend version, so operators should confirm their environment is on the June 2026 or later backend and require no client-side patching of field stations. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Implement rate limiting on the authentication endpoint and enable DDoS mitigation controls; monitor authentication traffic for anomalous patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43095 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy