Skip to main content

Eparking Fi

4 CVEs product

Monthly

CVE-2026-31926 MEDIUM CISA This Month

A web-based mapping platform exposes charging station authentication identifiers publicly, allowing unauthenticated network-based attackers to access sensitive credential information without any user interaction required. The vulnerability affects IGL Technologies eparking.fi application and enables attackers to obtain authentication material that could be leveraged for unauthorized access to charging infrastructure. There is no indication of active exploitation in the wild or public proof-of-concept code, but the vulnerability represents a direct exposure of authentication secrets (CWE-522) with moderate real-world impact.

Information Disclosure Eparking Fi
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32663 MEDIUM CISA This Month

A session management vulnerability exists in the WebSocket backend of IGL Technologies' eparking.fi platform that allows multiple endpoints to connect using the same charging station identifier. An unauthenticated remote attacker can hijack legitimate charging station sessions by connecting with predictable session identifiers, enabling them to intercept backend commands, authenticate as other users, or cause denial-of-service by overwhelming the backend with concurrent session requests. This vulnerability affects operational technology (OT) infrastructure and has been disclosed by CISA ICS-CERT.

Authentication Bypass Eparking Fi
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-31903 HIGH CISA Act Now

Unlimited authentication attempts against the eParking.fi WebSocket API enable network-based denial-of-service attacks that suppress or mis-route electric vehicle charger telemetry, and enable credential brute-forcing to gain unauthorized system access. Reported by ICS-CERT, affecting all versions of the charging management platform. EPSS score of 0.07% (22nd percentile) suggests low widespread exploitation probability, though SSVC marks it as automatable with partial technical impact. No active exploitation confirmed (not in CISA KEV), but CVSS 8.7 with AV:N/PR:N/AC:L indicates trivial remote exploitation against unauthenticated endpoints.

Authentication Bypass Eparking Fi
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-29796 CRITICAL CISA Emergency

Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. No patch is currently available for this critical vulnerability affecting EV charging systems.

Authentication Bypass Privilege Escalation Eparking Fi
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
EPSS 0% CVSS 6.5
MEDIUM This Month

A web-based mapping platform exposes charging station authentication identifiers publicly, allowing unauthenticated network-based attackers to access sensitive credential information without any user interaction required. The vulnerability affects IGL Technologies eparking.fi application and enables attackers to obtain authentication material that could be leveraged for unauthorized access to charging infrastructure. There is no indication of active exploitation in the wild or public proof-of-concept code, but the vulnerability represents a direct exposure of authentication secrets (CWE-522) with moderate real-world impact.

Information Disclosure Eparking Fi
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

A session management vulnerability exists in the WebSocket backend of IGL Technologies' eparking.fi platform that allows multiple endpoints to connect using the same charging station identifier. An unauthenticated remote attacker can hijack legitimate charging station sessions by connecting with predictable session identifiers, enabling them to intercept backend commands, authenticate as other users, or cause denial-of-service by overwhelming the backend with concurrent session requests. This vulnerability affects operational technology (OT) infrastructure and has been disclosed by CISA ICS-CERT.

Authentication Bypass Eparking Fi
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH Act Now

Unlimited authentication attempts against the eParking.fi WebSocket API enable network-based denial-of-service attacks that suppress or mis-route electric vehicle charger telemetry, and enable credential brute-forcing to gain unauthorized system access. Reported by ICS-CERT, affecting all versions of the charging management platform. EPSS score of 0.07% (22nd percentile) suggests low widespread exploitation probability, though SSVC marks it as automatable with partial technical impact. No active exploitation confirmed (not in CISA KEV), but CVSS 8.7 with AV:N/PR:N/AC:L indicates trivial remote exploitation against unauthenticated endpoints.

Authentication Bypass Eparking Fi
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Emergency

Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. No patch is currently available for this critical vulnerability affecting EV charging systems.

Authentication Bypass Privilege Escalation Eparking Fi
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy