Skip to main content

Evbee Service

1 CVEs product

Monthly

CVE-2026-22093 CRITICAL PATCH Act Now

Man-in-the-middle interception and traffic manipulation in the EVbee Service Android app (v1.4.101.00) is possible because the app negotiates HTTPS but never validates the server's TLS certificate, and further protects payloads only with RC4 under a hardcoded key. An attacker positioned on the network path can decrypt and alter app-to-server traffic and harvest charging-station access codes. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reproducible with standard interception tooling.

Information Disclosure Google Evbee Service
NVD
CVSS 4.0
9.5
EPSS
0.2%
EPSS 0% CVSS 9.5
CRITICAL PATCH Act Now

Man-in-the-middle interception and traffic manipulation in the EVbee Service Android app (v1.4.101.00) is possible because the app negotiates HTTPS but never validates the server's TLS certificate, and further protects payloads only with RC4 under a hardcoded key. An attacker positioned on the network path can decrypt and alter app-to-server traffic and harvest charging-station access codes. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reproducible with standard interception tooling.

Information Disclosure Google Evbee Service
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy