CVE-2026-24912

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://epower.ie/support/
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-07.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-07

Configurations

No configuration.

History

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) El backend de WebSocket utiliza identificadores de estaciones de carga para asociar sesiones de forma única, pero permite que múltiples puntos finales se conecten utilizando el mismo identificador de sesión. Esta implementación resulta en identificadores de sesión predecibles y permite el secuestro o sombreado de sesión, donde la conexión más reciente desplaza a la estación de carga legítima y recibe comandos del backend destinados a esa estación. Esta vulnerabilidad puede permitir a usuarios no autorizados autenticarse como otros usuarios o permitir a un actor malicioso causar una condición de denegación de servicio al sobrecargar el backend con solicitudes de sesión válidas.

06 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 00:16

Updated : 2026-03-09 13:36

NVD link : CVE-2026-24912

Mitre link : CVE-2026-24912

CVE.ORG link : CVE-2026-24912

JSON object : View

Products Affected

No product.

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2026-24912", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T00:16:10.553", "references": [{"url": "https://epower.ie/support/", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-07.json", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-07", "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable\na malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests."}, {"lang": "es", "value": "El backend de WebSocket utiliza identificadores de estaciones de carga para asociar sesiones de forma \u00fanica, pero permite que m\u00faltiples puntos finales se conecten utilizando el mismo identificador de sesi\u00f3n. Esta implementaci\u00f3n resulta en identificadores de sesi\u00f3n predecibles y permite el secuestro o sombreado de sesi\u00f3n, donde la conexi\u00f3n m\u00e1s reciente desplaza a la estaci\u00f3n de carga leg\u00edtima y recibe comandos del backend destinados a esa estaci\u00f3n. Esta vulnerabilidad puede permitir a usuarios no autorizados autenticarse como otros usuarios o permitir a un actor malicioso causar una condici\u00f3n de denegaci\u00f3n de servicio al sobrecargar el backend con solicitudes de sesi\u00f3n v\u00e1lidas."}], "lastModified": "2026-03-09T13:36:08.413", "sourceIdentifier": "ics-cert@hq.dhs.gov"}