Skip to main content

Evbee Service EUVDEUVD-2026-43325

| CVE-2026-22093 CRITICAL
Improper Certificate Validation (CWE-295)
2026-07-13 DIVD
9.5
CVSS 4.0 · Vendor: DIVD
Share

Severity by source

Vendor (DIVD) PRIMARY
9.5 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (DIVD) · only source for this CVE.

CVSS VectorVendor: DIVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 13, 2026 - 12:01 EUVD
Analysis Generated
Jul 13, 2026 - 11:13 vuln.today
CVE Published
Jul 13, 2026 - 09:10 cve.org
CRITICAL 9.5

DescriptionCVE.org

The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations.

This issue affects EVbee Service: v1.4.101.00.

AnalysisAI

Man-in-the-middle interception and traffic manipulation in the EVbee Service Android app (v1.4.101.00) is possible because the app negotiates HTTPS but never validates the server's TLS certificate, and further protects payloads only with RC4 under a hardcoded key. An attacker positioned on the network path can decrypt and alter app-to-server traffic and harvest charging-station access codes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: issue a security advisory to all EVbee Service users recommending they avoid public WiFi and unsecured networks, and enable network monitoring for suspicious connection attempts to EVbee infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43325 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy