Description
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
Published: 2026-02-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and Unauthorized Authentication
Action: Apply Workaround
AI Analysis

Impact

The EV2GO ev2go.io platform’s WebSocket API does not limit the number of authentication attempts. This flaw allows attackers to flood the system, potentially disrupting charger telemetry or carrying out brute‑force credential guesses. The weakness is classified as CWE‑307, originating from the absence of rate limiting on the authentication endpoint.

Affected Systems

Vendor: EV2GO. Product: ev2go.io. No specific version information is provided in the advisory. The affected configuration is represented by the generic CPE for the product.

Risk and Exploitability

The vulnerability scores 8.7 on the CVSS base scale, indicating high severity, while the EPSS estimate of less than 1% suggests a very low current likelihood of exploitation. It is not listed in the CISA KEV catalog. Attackers can exploit the issue remotely by repeatedly sending authentication requests over the WebSocket interface, either to overload the service and cause denial of service or to attempt credential brute‑forcing. The lack of any rate limiting mechanism makes these attack vectors straightforward to execute once the attacker can reach the WebSocket endpoint.

Generated by OpenCVE AI on April 17, 2026 at 14:10 UTC.

Remediation

Vendor Workaround

EV2GO did not respond to CISA's request for coordination. Contact EV2GO using their contact page here: https://ev2go.io/ for more information.

OpenCVE Recommended Actions

  • Implement rate limiting on the WebSocket authentication endpoint to restrict the number of authentication attempts per IP or user within a defined timeframe.
  • Deploy monitoring or intrusion‑detection rules to detect repeated failed authentication attempts and automatically block offending IP addresses.
  • Contact EV2GO through their official contact page to obtain vendor‑provided mitigation guidance or a patch.

Generated by OpenCVE AI on April 17, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ev2go:ev2go.io:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Ev2go
Ev2go ev2go.io
Vendors & Products Ev2go
Ev2go ev2go.io

Fri, 27 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Title EV2GO ev2go.io Improper Restriction of Excessive Authentication Attempts
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ev2go Ev2go.io
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-31T14:20:00.190Z

Reserved: 2026-02-23T23:41:36.747Z

Link: CVE-2026-25945

cve-icon Vulnrichment

Updated: 2026-03-03T01:33:09.873Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:57.730

Modified: 2026-03-05T21:16:16.803

Link: CVE-2026-25945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses