Description
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Published: 2026-03-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and Brute‑Force Attack
Action: Contact Vendor
AI Analysis

Impact

The vulnerability arises from the WebSocket Application Programming Interface in Mobiliti e‑mobi.hu, which does not enforce any limits on the number of authentication attempts. Without a rate‑limiting mechanism, an attacker can overwhelm the system with repeated authentication requests, causing a denial of service by exhausting resources or mis‑directing legitimate charger telemetry. In addition, the absence of controls enables brute‑force attempts that could eventually grant unauthorized access to the authenticated API, compromising confidential telemetry data. The weakness is identified as CWE‑307, indicating inadequate restriction on authentication attempts.

Affected Systems

The affected product is Mobiliti e‑mobi.hu's WebSocket API used for charger telemetry. No specific firmware or version information is provided, so any deployment using the default WebSocket endpoint is potentially affected.

Risk and Exploitability

The CVSS score of 8.7 classifies this flaw as a high severity vulnerability. The EPSS score is documented as less than 1 %, indicating a very low current probability of exploitation, and the issue is not listed in the CISA KEV catalog. Potential attackers would need network access to the WebSocket endpoint and would exploit the lack of authentication throttling to perform DoS or brute‑force attacks. While the likelihood of a mass exploitation event is low, the high impact and absence of a public fix justify proactive mitigation.

Generated by OpenCVE AI on April 16, 2026 at 11:23 UTC.

Remediation

Vendor Workaround

Mobiliti did not respond to CISA's request for coordination. Contact Mobiliti using their contact page here: https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat for more information.

OpenCVE Recommended Actions

  • Contact Mobiliti via their support page (https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat) to request a patch or further guidance.
  • Deploy network‑level controls (e.g., firewall or IDS rules) that limit the rate of authentication requests per source IP to the WebSocket endpoint.
  • Implement application‑level or reverse‑proxy rate limiting for authentication attempts to the WebSocket API to prevent excessive retries.
  • Audit access logs for repeated failed authentication attempts and investigate any suspicious activity.

Generated by OpenCVE AI on April 16, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mobiliti
Mobiliti e-mobi.hu
Vendors & Products Mobiliti
Mobiliti e-mobi.hu

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Title Mobiliti e-mobi.hu Improper Restriction of Excessive Authentication Attempts
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mobiliti E-mobi.hu
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-10T17:59:37.339Z

Reserved: 2026-02-24T00:30:38.944Z

Link: CVE-2026-20882

cve-icon Vulnrichment

Updated: 2026-03-10T17:48:45.802Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T16:16:09.913

Modified: 2026-03-10T18:18:05.783

Link: CVE-2026-20882

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses