CVE-2026-20882
Published: 06 March 2026
Summary
CVE-2026-20882 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Mvm Mobiliti E-Mobi.Hu. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2026-20882, published on 2026-03-06, is a vulnerability in the WebSocket Application Programming Interface that lacks restrictions on the number of authentication requests due to the absence of rate limiting. This flaw, mapped to CWE-307 (Improper Restriction of Excessive Authentication Attempts) and scored 7.5 under CVSS v3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), affects components handling charger telemetry in operational technology environments.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation enables denial-of-service attacks by flooding the interface with authentication requests, suppressing or mis-routing legitimate charger telemetry data, or facilitates brute-force attacks to achieve unauthorized access.
Mitigation guidance is detailed in related advisories, including CISA ICSA-26-062-06 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-06), the corresponding CSAF JSON file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-06.json), and vendor support resources such as https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10032
Vulnerability details
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…
more
access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lack of rate limiting on auth requests directly enables brute-force credential access (T1110) and application exhaustion DoS via flooding (T1499.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces limits on consecutive invalid authentication attempts, preventing both brute-force attacks and DoS via excessive authentication requests on the WebSocket API.
Provides denial-of-service protections tailored to flooding the WebSocket API with authentication requests, suppressing legitimate charger telemetry.
Ensures resource availability by monitoring and controlling usage against exhaustion from unlimited authentication requests over WebSocket.