Description
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
Published: 2026-02-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Assess Impact
AI Analysis

Impact

The WebSocket Application Programming Interface fails to restrict the number of authentication requests, allowing an attacker to perform brute‑force or denial‑of‑service attacks against the gateway. This lack of rate limiting can result in the suppression or diversion of legitimate charger telemetry or enable unauthorized access to the charging infrastructure. The flaw is a classic authentication‑brute‑force weakness, identified as CWE‑307.

Affected Systems

CloudCharge’s CloudCharge.se product is affected. No specific version information is provided; any deployment of the WebSocket interface is vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. An EPSS score of less than 1% suggests that exploitation has a low historical probability, and the flaw is not listed in CISA’s KEV catalog. The vulnerability can be exploited by any actor with network access to the WebSocket endpoint; no privileged access is required beyond the ability to send authentication attempts. The primary attack vector is remote over the public or private network connecting to the CloudCharge gateway.

Generated by OpenCVE AI on April 16, 2026 at 15:52 UTC.

Remediation

Vendor Workaround

CloudCharge did not respond to CISA's request for coordination. Contact CloudCharge using their contact page here: https://cloudcharge.tech/support/contact/ for more information.

OpenCVE Recommended Actions

  • Enable or enforce rate limiting on the WebSocket authentication endpoint to restrict the number of consecutive authentication attempts from a single source.
  • Monitor authentication logs for abnormal activity and implement automated blocking or alerting for IP addresses that exceed a predefined threshold.
  • Contact CloudCharge, provide details of the issue, and request a security patch or the release of a remedial update that addresses the authentication‑brute‑force flaw.
  • Apply temporary firewall rules to restrict WebSocket traffic to trusted IP ranges or require pre‑authentication tokens if possible.

Generated by OpenCVE AI on April 16, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cloudcharge:cloudcharge.se:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cloudcharge
Cloudcharge cloudcharge.se
Vendors & Products Cloudcharge
Cloudcharge cloudcharge.se

Thu, 26 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Title CloudCharge cloudcharge.se Improper Restriction of Excessive Authentication Attempts
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Cloudcharge Cloudcharge.se
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-05T20:18:16.637Z

Reserved: 2026-02-24T00:00:40.071Z

Link: CVE-2026-25114

cve-icon Vulnrichment

Updated: 2026-03-03T01:35:55.544Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:57.030

Modified: 2026-03-05T21:16:15.803

Link: CVE-2026-25114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses