CVE-2026-24445
Published: 27 February 2026
Summary
CVE-2026-24445 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Ev.Energy Ev.Energy. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces limits on the number of unsuccessful authentication attempts, preventing both brute-force attacks and denial-of-service via excessive authentication requests.
Provides protection against denial-of-service attacks by limiting the effects of flooding the WebSocket API with excessive authentication requests.
Monitors and controls communications at external boundaries, enabling rate limiting and filtering of excessive WebSocket authentication requests to mitigate resource exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lack of rate limiting on WebSocket auth requests directly enables brute-force credential access (T1110) and resource-exhaustion DoS (T1499) against the public-facing interface.
NVD Description
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…
more
access.
Deeper analysisAI
CVE-2026-24445, published on 2026-02-27, is a vulnerability in the WebSocket Application Programming Interface stemming from a lack of restrictions on the number of authentication requests, with no rate limiting implemented. This issue, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), affects systems handling charger telemetry, as indicated by references to ev.energy and CISA's ICS advisory. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) highlights its high severity, primarily due to the potential for significant availability disruption without requiring privileges or user interaction.
Unauthenticated attackers with network access can exploit this vulnerability by flooding the interface with excessive authentication requests. This enables denial-of-service attacks that suppress or mis-route legitimate charger telemetry data, disrupting operational visibility and control. Attackers could also leverage the absence of rate limiting for brute-force attacks, potentially gaining unauthorized access to the affected WebSocket interface.
CISA's ICS Advisory ICSA-26-057-07, detailed at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07 and in CSAF format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-07.json, provides guidance on mitigations, with additional vendor information available at https://www.ev.energy/en-us.
Details
- CWE(s)