Cyber Posture

CVE-2026-24696

High

Published: 06 March 2026

Published
06 March 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 24.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24696 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Everon Api.Everon.Io. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-7 Unsuccessful Logon Attempts
addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

IA-10 Adaptive Authentication
addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
attack.mitre.org →
T1499.002 Service Exhaustion Flood Impact
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
attack.mitre.org →
Why these techniques?

Lack of auth rate limiting directly enables brute-force credential attacks (T1110) and service exhaustion DoS via excessive requests (T1499.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…

more

access.

Deeper analysisAI

CVE-2026-24696 affects the WebSocket Application Programming Interface, which lacks restrictions on the number of authentication requests due to the absence of rate limiting. Published on 2026-03-06, this vulnerability (CWE-307: Improper Restriction of Excessive Authentication Attempts) carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high availability impact in systems handling charger telemetry.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or brute-force attacks to achieve unauthorized access.

CISA has published ICS Advisory ICSA-26-062-08 detailing the issue, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08, along with a corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-08.json. Security practitioners should consult these advisories for mitigation guidance and patch information.

Details

CWE(s)
CWE-307

Affected Products

everon
api.everon.io
all versions

CVEs Like This One

CVE-2026-26288Same product: Everon Api.Everon.Io
CVE-2026-20748Same product: Everon Api.Everon.Io
CVE-2026-25114Shared CWE-307
CVE-2025-69246Shared CWE-307
CVE-2026-6947Shared CWE-307
CVE-2026-25113Shared CWE-307
CVE-2025-23368Shared CWE-307
CVE-2026-22278Shared CWE-307
CVE-2026-35597Shared CWE-307
CVE-2025-14362Shared CWE-307

References