Description
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
Published: 2026-02-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and Unauthorized Access
Action: Contact Vendor
AI Analysis

Impact

The vulnerability resides in the ev.energy WebSocket API, which lacks limits on authentication attempts. Attackers can flood the endpoint with credential requests, potentially overwhelming the device and disrupting charger telemetry, or attempt brute‑force credential guessing to gain unauthorized access. This weakness is a classic example of CWE‑307 and poses a high risk to both availability and confidentiality.

Affected Systems

The affected product is ev.energy from EV Energy. No specific version or build information was disclosed in the advisory, so all releases of the platform that expose the WebSocket API are potentially impacted.

Risk and Exploitability

The CVSS score is 8.7, indicating a high severity vulnerability. The EPSS score of less than 1 % suggests that exploitation is currently unlikely but the low threshold means the risk could increase if a public exploit emerges. The vulnerability is not listed in the CISA KEV catalog, so there is currently no evidence of widespread exploitation. Attackers would target the WebSocket endpoint over the network, sending repeated authentication frames to trigger a denial of service or gain access.

Generated by OpenCVE AI on April 16, 2026 at 05:59 UTC.

Remediation

Vendor Workaround

EV Energy did not respond to CISA's request for coordination. Contact EV Energy using their contact page here: https://www.ev.energy/en-us for more information.

OpenCVE Recommended Actions

  • Reach out to EV Energy via their contact page to request a patch or detailed remediation instructions.
  • Apply any vendor‑supplied fix once released; if unavailable, proceed to temporary controls.
  • Enforce rate limiting on the WebSocket authentication endpoint, either with a firewall, load balancer, or application‑level throttle, to restrict repeated attempts per IP or session.
  • Monitor authentication logs for anomalous patterns and set alerts for excessive failures, and isolate affected devices on a separate network segment during investigations.

Generated by OpenCVE AI on April 16, 2026 at 05:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Ev.energy
Ev.energy ev.energy
CPEs cpe:2.3:a:ev.energy:ev.energy:*:*:*:*:*:*:*:*
Vendors & Products Ev.energy
Ev.energy ev.energy

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Ev Energy
Ev Energy ev.energy
Vendors & Products Ev Energy
Ev Energy ev.energy

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Title EV Energy ev.energy Improper Restriction of Excessive Authentication Attempts
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ev.energy Ev.energy
Ev Energy Ev.energy
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-31T14:20:24.074Z

Reserved: 2026-02-24T00:16:49.682Z

Link: CVE-2026-24445

cve-icon Vulnrichment

Updated: 2026-03-03T01:32:14.073Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T01:16:18.430

Modified: 2026-03-05T21:16:15.193

Link: CVE-2026-24445

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:00:10Z

Weaknesses