Description
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable
a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Published: 2026-03-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session Hijacking and DoS
Action: Apply Fix
AI Analysis

Impact

The WebSocket backend for ePower's epower.ie platform uses charging station identifiers as session IDs but permits multiple endpoints to connect with the same identifier. Because the session IDs are predictable, an attacker can hijack or shadow a legitimate session, causing the most recent connection to receive backend commands intended for the displaced station. This flaw can also be used to launch a denial‑of‑service by flooding the backend with valid session requests, ultimately disrupting charging station operations.

Affected Systems

The vulnerability affects the ePower epower.ie charging station management platform. No specific product version is identified in the advisory, so all current and future deployments should be considered potentially susceptible until a vendor patch is issued.

Risk and Exploitability

The CVSS base score of 6.9 indicates medium severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker with network access to the WebSocket endpoint can construct a valid session identifier and establish a connection, thus hijacking the session or flooding the backend. The attack requires no privileged credentials and can be performed remotely, making it potentially impactful for operations that rely on the platform for charging infrastructure control.

Generated by OpenCVE AI on April 16, 2026 at 11:51 UTC.

Remediation

Vendor Workaround

ePower did not respond to CISA's request for coordination. Contact ePower using their contact page here: https://epower.ie/support/ for more information.

OpenCVE Recommended Actions

  • Contact ePower via their support page to obtain patch information or further guidance.
  • Implement network restrictions that limit WebSocket connections to known, trusted devices only, mitigating the risk of unauthorized session hijacking and service disruption until a vendor fix is available.
  • When a vendor patch becomes available, deploy it immediately and review the session handling configuration to ensure that session identifiers are unique and correctly expire.

Generated by OpenCVE AI on April 16, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Epower
Epower epower.ie
Vendors & Products Epower
Epower epower.ie

Fri, 06 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Title ePower epower.ie Insufficient Session Expiration
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Epower Epower.ie
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-09T17:21:35.255Z

Reserved: 2026-02-24T00:23:47.066Z

Link: CVE-2026-24912

cve-icon Vulnrichment

Updated: 2026-03-09T17:21:31.617Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T00:16:10.553

Modified: 2026-03-09T13:36:08.413

Link: CVE-2026-24912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:00:11Z

Weaknesses