CVE-2026-24696
Published: 06 March 2026
Summary
CVE-2026-24696 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Everon Api.Everon.Io. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2026-24696 affects the WebSocket Application Programming Interface, which lacks restrictions on the number of authentication requests due to the absence of rate limiting. Published on 2026-03-06, this vulnerability (CWE-307: Improper Restriction of Excessive Authentication Attempts) carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high availability impact in systems handling charger telemetry.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or brute-force attacks to achieve unauthorized access.
CISA has published ICS Advisory ICSA-26-062-08 detailing the issue, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08, along with a corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-08.json. Security practitioners should consult these advisories for mitigation guidance and patch information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10033
Vulnerability details
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…
more
access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lack of auth rate limiting directly enables brute-force credential attacks (T1110) and service exhaustion DoS via excessive requests (T1499.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces limits on consecutive unsuccessful logon attempts, directly mitigating brute-force attacks and excessive authentication requests on the WebSocket API.
Protects against denial-of-service events, addressing the suppression or mis-routing of legitimate charger telemetry due to unrestricted authentication requests.
Implements resource allocation controls to protect availability from exhaustion caused by unlimited authentication requests over WebSocket.