Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Published: 2026-03-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized control of charging infrastructure
Action: Patch ASAP
AI Analysis

Impact

WebSocket endpoints used by Mobiliti e-mobi.hu lack proper authentication, allowing an attacker to connect to the OCPP endpoint using a known or discovered charging station identifier and issue or receive commands as a legitimate charger. This flaw is a missing authentication weakness (CWE-306) that can result in privilege escalation, manipulation of charging commands, and corruption of network data reported to the backend.

Affected Systems

The vulnerability affects Mobiliti’s e-mobi.hu charging infrastructure. No specific version information is provided, so any deployment that uses the OCPP WebSocket interface of this product could be impacted.

Risk and Exploitability

With a CVSS score of 9.3 the flaw is considered critical. The EPSS score is less than 1%, suggesting low current exploitation likelihood, but the flaw remains high‑risk because it allows complete control of charging stations. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a network attacker who can reach the charging station over the OCPP WebSocket port and authenticate no authentication is required, enabling impersonation and command injection.

Generated by OpenCVE AI on April 17, 2026 at 12:19 UTC.

Remediation

Vendor Workaround

Mobiliti did not respond to CISA's request for coordination. Contact Mobiliti using their contact page here: https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat for more information.

OpenCVE Recommended Actions

  • Apply any vendor release or firmware update that adds authentication enforcement to the OCPP WebSocket endpoints.
  • If a patch is not yet available, restrict OCPP WebSocket traffic to trusted station IP ranges using firewall or VLAN segmentation to block anonymous connections.
  • Deploy network monitoring to detect unusual WebSocket activity and audit backend command logs for signs of unauthorized control.
  • Consider implementing mutual TLS or certificate‑based station authentication as a temporary protective measure until an official fix is applied.
  • Contact Mobiliti using their support page at https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat for additional guidance and temporary mitigation steps.

Generated by OpenCVE AI on April 17, 2026 at 12:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mobiliti
Mobiliti e-mobi.hu
Vendors & Products Mobiliti
Mobiliti e-mobi.hu

Fri, 06 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Title Mobiliti e-mobi.hu Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mobiliti E-mobi.hu
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-09T15:21:58.096Z

Reserved: 2026-02-24T00:30:38.952Z

Link: CVE-2026-26051

cve-icon Vulnrichment

Updated: 2026-03-09T15:21:50.976Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T15:16:09.973

Modified: 2026-03-09T13:35:34.633

Link: CVE-2026-26051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses