Cyber Resilience

CVE-2026-20882

High

Published: 06 March 2026

Published
06 March 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 34.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-20882 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Mvm Mobiliti E-Mobi.Hu. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-20882, published on 2026-03-06, is a vulnerability in the WebSocket Application Programming Interface that lacks restrictions on the number of authentication requests due to the absence of rate limiting. This flaw, mapped to CWE-307 (Improper Restriction of Excessive Authentication Attempts) and scored 7.5 under CVSS v3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), affects components handling charger telemetry in operational technology environments.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation enables denial-of-service attacks by flooding the interface with authentication requests, suppressing or mis-routing legitimate charger telemetry data, or facilitates brute-force attacks to achieve unauthorized access.

Mitigation guidance is detailed in related advisories, including CISA ICSA-26-062-06 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-06), the corresponding CSAF JSON file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-06.json), and vendor support resources such as https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…

more

access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Lack of rate limiting on auth requests directly enables brute-force credential access (T1110) and application exhaustion DoS via flooding (T1499.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27764Same product: Mvm Mobiliti E-Mobi.Hu
CVE-2026-26051Same product: Mvm Mobiliti E-Mobi.Hu
CVE-2026-45364Shared CWE-307
CVE-2025-69246Shared CWE-307
CVE-2026-45010Shared CWE-307
CVE-2026-22278Shared CWE-307
CVE-2025-23368Shared CWE-307
CVE-2024-23106Shared CWE-307
CVE-2024-57610Shared CWE-307
CVE-2025-69615Shared CWE-307

Affected Assets

mvm
mobiliti e-mobi.hu
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces limits on consecutive invalid authentication attempts, preventing both brute-force attacks and DoS via excessive authentication requests on the WebSocket API.

preventdetectrespond

Provides denial-of-service protections tailored to flooding the WebSocket API with authentication requests, suppressing legitimate charger telemetry.

preventdetect

Ensures resource availability by monitoring and controlling usage against exhaustion from unlimited authentication requests over WebSocket.

References