Ev.Energy
Monthly
Ev.Energy's WebSocket implementation accepts duplicate session identifiers from multiple endpoints, allowing attackers to hijack active charging station sessions through predictable identifier prediction. An unauthenticated remote attacker can impersonate legitimate stations to intercept commands, authenticate as other users, or disrupt service by flooding the backend with spoofed session requests. No patch is currently available.
Ev.Energy charging stations expose authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated remote attackers to obtain access identifiers. An attacker with these credentials could potentially intercept or manipulate charging sessions and related data. No patch is currently available for this exposure.
Ev.Energy's WebSocket API fails to implement rate limiting on authentication attempts, enabling attackers to launch denial-of-service attacks against charger telemetry systems or conduct brute-force credential attacks without restriction. This vulnerability affects all unauthenticated network-based interactions with the affected application and has no available patch at this time.
Missing WebSocket authentication — fifth CVE in the industrial platform WebSocket family. Same CWE-306 pattern enabling unauthenticated access and station impersonation.
Ev.Energy's WebSocket implementation accepts duplicate session identifiers from multiple endpoints, allowing attackers to hijack active charging station sessions through predictable identifier prediction. An unauthenticated remote attacker can impersonate legitimate stations to intercept commands, authenticate as other users, or disrupt service by flooding the backend with spoofed session requests. No patch is currently available.
Ev.Energy charging stations expose authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated remote attackers to obtain access identifiers. An attacker with these credentials could potentially intercept or manipulate charging sessions and related data. No patch is currently available for this exposure.
Ev.Energy's WebSocket API fails to implement rate limiting on authentication attempts, enabling attackers to launch denial-of-service attacks against charger telemetry systems or conduct brute-force credential attacks without restriction. This vulnerability affects all unauthenticated network-based interactions with the affected application and has no available patch at this time.
Missing WebSocket authentication — fifth CVE in the industrial platform WebSocket family. Same CWE-306 pattern enabling unauthenticated access and station impersonation.