Description
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Published: 2026-03-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and potential unauthorized access through unrestricted authentication attempts
Action: Deploy Workaround
AI Analysis

Impact

The vulnerability resides in the WebSocket API of Everon’s api.everon.io, which does not enforce any restriction on the number of authentication attempts. This flaw permits an attacker to flood the authentication endpoint, possibly causing denial of service by overwhelming legitimate telemetry traffic or, if credentials are guessed, gaining unauthorized access. The issue is classified under CWE‑307, an improper restriction of excessive authentication attempts.

Affected Systems

The affected system is Everon’s api.everon.io platform. No specific product versions are listed, so all current deployments of the API service are potentially impacted until a fix is applied.

Risk and Exploitability

The high CVSS score of 8.7 reflects significant impact on availability and the risk of credential compromise. The EPSS score of less than 1% indicates that the likelihood of immediate exploitation in the wild is low, and the vulnerability is not currently listed in CISA’s KEV catalog. The most plausible attack path relies on sending repeated authentication requests over the WebSocket connection; an attacker would need network access to the vulnerable endpoint. Given the severity, the recommendation is to mitigate promptly, as the potential for denial of service or unauthorized access is serious.

Generated by OpenCVE AI on April 16, 2026 at 11:22 UTC.

Remediation

Vendor Workaround

Everon shut down their platform on December 1st, 2025.

OpenCVE Recommended Actions

  • Shut down or disable the api.everon.io service until a patch is released or a verified fix is applied
  • Restrict access to the API endpoint using network controls such as firewall rules, VPN, or IP whitelisting to reduce the attack surface
  • Implement logging and monitoring of authentication attempts, and apply manual rate limiting or temporary access controls to detect and throttle potential brute‑force activity

Generated by OpenCVE AI on April 16, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Everon
Everon api.everon.io
Vendors & Products Everon
Everon api.everon.io

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Title Everon api.everon.io Improper Restriction of Excessive Authentication Attempts
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Everon Api.everon.io
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-10T17:59:15.196Z

Reserved: 2026-02-25T15:28:27.129Z

Link: CVE-2026-24696

cve-icon Vulnrichment

Updated: 2026-03-10T17:48:26.176Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T16:16:10.193

Modified: 2026-03-10T18:18:28.877

Link: CVE-2026-24696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses