Description
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
Published: 2026-02-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and Brute-Force Authentication
Action: Contact Vendor
AI Analysis

Impact

The WebSocket application programming interface exhibits a CWE‑307 (Improper Restriction of Excessive Authentication Attempts) by not enforcing any restrictions on the number of authentication attempts, which allows an attacker to abuse the authentication mechanism. This flaw can be leveraged to perform denial‑of‑service attacks by flooding the telemetry channel, or to conduct brute‑force attempts to gain unauthorized access, compromising the integrity of charger data and network security.

Affected Systems

The vulnerability affects the WebSocket API of SWITCH EV's swtchenergy.com platform. Vendor SWITCH EV provides the product at swtchenergy.com, but no specific version or build information is disclosed in the advisory.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of active exploitation at this time. The flaw is not listed in the KEV catalog. The likely attack vector is remote, over the network via WebSocket connections, requiring no privileged access. If exploited, an attacker could disrupt telemetry flows, cause service outages, or eventually elevate privileges through repeated authentication attempts.

Generated by OpenCVE AI on April 16, 2026 at 15:48 UTC.

Remediation

Vendor Workaround

SWITCH EV did not respond to CISA's request for coordination. Contact SWITCH EV using their contact page here: https://swtchenergy.com/contact/ for more information.

OpenCVE Recommended Actions

  • Contact SWITCH EV via their contact page for remediation guidance.
  • Limit exposure of the WebSocket API by applying firewall rules or network segmentation to restrict connections to trusted hosts.
  • Implement application‑or network‑layer rate limiting on the authentication endpoint to throttle repeated attempts, preventing DoS and brute‑force attacks.

Generated by OpenCVE AI on April 16, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Swtchenergy
Swtchenergy swtchenergy.com
CPEs cpe:2.3:a:swtchenergy:swtchenergy.com:*:*:*:*:*:*:*:*
Vendors & Products Swtchenergy
Swtchenergy swtchenergy.com

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Switch Ev
Switch Ev swtchenergy.com
Vendors & Products Switch Ev
Switch Ev swtchenergy.com

Fri, 27 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Title SWITCH EV swtchenergy.com Improper Restriction of Excessive Authentication Attempts
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Switch Ev Swtchenergy.com
Swtchenergy Swtchenergy.com
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-10T19:20:52.878Z

Reserved: 2026-02-23T23:48:14.377Z

Link: CVE-2026-25113

cve-icon Vulnrichment

Updated: 2026-03-02T20:27:55.540Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:56.853

Modified: 2026-03-05T21:16:15.610

Link: CVE-2026-25113

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses