Skip to main content

Api Everon Io

3 CVEs product

Monthly

CVE-2026-26288 CRITICAL Act Now

Unauthenticated remote attackers can impersonate electric vehicle charging stations in Everon's api.everon.io platform via unprotected OCPP WebSocket endpoints. By connecting with a known or discovered station identifier, attackers gain full control to issue OCPP commands as legitimate chargers, manipulate charging session data, escalate privileges within the charging network infrastructure, and corrupt backend telemetry. CISA ICS-CERT reports this vulnerability affecting critical EV charging infrastructure. Despite 9.3 CVSS score indicating critical severity, EPSS score of 0.09% (25th percentile) suggests exploitation requires specialized knowledge of OCPP protocol and charging network architecture rather than mass automated scanning.

Privilege Escalation Authentication Bypass Api Everon Io
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-24696 HIGH This Week

Remote denial-of-service and credential brute-force attacks against Everon's api.everon.io WebSocket interface allow unauthenticated attackers to disrupt electric vehicle charging infrastructure by overwhelming the authentication endpoint with unlimited login attempts, suppressing or mis-routing charger telemetry data, or compromising accounts through password guessing. EPSS score is low (0.06%, 20th percentile) indicating limited observed exploitation activity, though the network-accessible, zero-authentication attack vector poses clear operational risk to charging station operators relying on this API for fleet management.

Authentication Bypass Api Everon Io
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-20748 MEDIUM This Month

WebSocket session management in charging station backends allows multiple connections using identical session identifiers, enabling attackers to hijack legitimate sessions and intercept commands or impersonate authorized stations. Unauthenticated remote attackers can exploit this predictable identifier scheme to displace active connections, redirect backend communications, or launch denial-of-service attacks against the charging infrastructure. The vulnerability affects any deployment relying on this WebSocket backend without an available patch.

Authentication Bypass Api Everon Io
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated remote attackers can impersonate electric vehicle charging stations in Everon's api.everon.io platform via unprotected OCPP WebSocket endpoints. By connecting with a known or discovered station identifier, attackers gain full control to issue OCPP commands as legitimate chargers, manipulate charging session data, escalate privileges within the charging network infrastructure, and corrupt backend telemetry. CISA ICS-CERT reports this vulnerability affecting critical EV charging infrastructure. Despite 9.3 CVSS score indicating critical severity, EPSS score of 0.09% (25th percentile) suggests exploitation requires specialized knowledge of OCPP protocol and charging network architecture rather than mass automated scanning.

Privilege Escalation Authentication Bypass Api Everon Io
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Remote denial-of-service and credential brute-force attacks against Everon's api.everon.io WebSocket interface allow unauthenticated attackers to disrupt electric vehicle charging infrastructure by overwhelming the authentication endpoint with unlimited login attempts, suppressing or mis-routing charger telemetry data, or compromising accounts through password guessing. EPSS score is low (0.06%, 20th percentile) indicating limited observed exploitation activity, though the network-accessible, zero-authentication attack vector poses clear operational risk to charging station operators relying on this API for fleet management.

Authentication Bypass Api Everon Io
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

WebSocket session management in charging station backends allows multiple connections using identical session identifiers, enabling attackers to hijack legitimate sessions and intercept commands or impersonate authorized stations. Unauthenticated remote attackers can exploit this predictable identifier scheme to displace active connections, redirect backend communications, or launch denial-of-service attacks against the charging infrastructure. The vulnerability affects any deployment relying on this WebSocket backend without an available patch.

Authentication Bypass Api Everon Io
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy