Description
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Published: 2026-03-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and Unauthorized Access
Action: Apply Mitigation
AI Analysis

Impact

The ePower epower.ie WebSocket API lacks any restriction on the number of authentication requests it will accept. This deficiency enables an attacker to either flood the service with repeated authentication attempts, causing legitimate charger telemetry to be suppressed or mis‑routed, or to brute‑force credentials in pursuit of unauthorized access. The result is a loss of service availability for authorized users and a risk of compromising the charging infrastructure.

Affected Systems

The vulnerability is confined to ePower’s epower.ie product. No specific affected versions are disclosed, so all installations of the ePower epower.ie platform that expose the WebSocket API are potentially susceptible.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is considered high severity. The EPSS score is below 1 % and the issue is not listed in CISA’s KEV catalog, indicating that large‑scale exploitation is unlikely at present. However, the lack of rate limiting means that an attacker who can reach the WebSocket endpoint—most plausibly from the Internet via the car‑charger’s network interface—could launch a denial‑of‑service or brute‑force campaign. The impact on confidentiality, integrity, and availability is significant if the service is critical to charging operations.

Generated by OpenCVE AI on April 17, 2026 at 12:32 UTC.

Remediation

Vendor Workaround

ePower did not respond to CISA's request for coordination. Contact ePower using their contact page here: https://epower.ie/support/ for more information.

OpenCVE Recommended Actions

  • Acquire and install any future ePower firmware or vendor patch that limits authentication attempts on the WebSocket API.
  • If a patch is not yet available, implement network firewall or reverse‑proxy rules to rate‑limit authentication requests per IP address to reduce brute‑force risk.
  • Disable or restrict the WebSocket API for charging telemetry until a mitigation is applied.
  • Contact ePower through their support portal for updates or coordinated remediation should the issue remain unresolved.

Generated by OpenCVE AI on April 17, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Epower
Epower epower.ie
Vendors & Products Epower
Epower epower.ie

Thu, 05 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Title ePower epower.ie Improper Restriction of Excessive Authentication Attempts
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Epower Epower.ie
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-09T17:26:05.678Z

Reserved: 2026-02-24T00:23:47.075Z

Link: CVE-2026-27778

cve-icon Vulnrichment

Updated: 2026-03-09T17:26:01.085Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T00:16:10.960

Modified: 2026-03-09T13:36:08.413

Link: CVE-2026-27778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses