Cyber Resilience

CVE-2026-24445

High

Published: 27 February 2026

Published
27 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 38.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24445 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Ev.Energy Ev.Energy. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-24445, published on 2026-02-27, is a vulnerability in the WebSocket Application Programming Interface stemming from a lack of restrictions on the number of authentication requests, with no rate limiting implemented. This issue, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), affects systems handling charger telemetry, as indicated by references to ev.energy and CISA's ICS advisory. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) highlights its high severity, primarily due to the potential for significant availability disruption without requiring privileges or user interaction.

Unauthenticated attackers with network access can exploit this vulnerability by flooding the interface with excessive authentication requests. This enables denial-of-service attacks that suppress or mis-route legitimate charger telemetry data, disrupting operational visibility and control. Attackers could also leverage the absence of rate limiting for brute-force attacks, potentially gaining unauthorized access to the affected WebSocket interface.

CISA's ICS Advisory ICSA-26-057-07, detailed at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07 and in CSAF format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-07.json, provides guidance on mitigations, with additional vendor information available at https://www.ev.energy/en-us.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…

more

access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

Lack of rate limiting on WebSocket auth requests directly enables brute-force credential access (T1110) and resource-exhaustion DoS (T1499) against the public-facing interface.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26290Same product: Ev.Energy Ev.Energy
CVE-2026-27772Same product: Ev.Energy Ev.Energy
CVE-2026-20792Shared CWE-307
CVE-2026-26305Shared CWE-307
CVE-2026-25945Shared CWE-307
CVE-2026-45364Shared CWE-307
CVE-2025-69246Shared CWE-307
CVE-2026-45010Shared CWE-307
CVE-2026-22278Shared CWE-307
CVE-2025-23368Shared CWE-307

Affected Assets

ev.energy
ev.energy
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces limits on the number of unsuccessful authentication attempts, preventing both brute-force attacks and denial-of-service via excessive authentication requests.

preventdetect

Provides protection against denial-of-service attacks by limiting the effects of flooding the WebSocket API with excessive authentication requests.

prevent

Monitors and controls communications at external boundaries, enabling rate limiting and filtering of excessive WebSocket authentication requests to mitigate resource exhaustion.

References