Cyber Resilience

CVE-2026-25114

High

Published: 27 February 2026

Published
27 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 37.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25114 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Cloudcharge Cloudcharge.Se. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-25114 is a vulnerability in the WebSocket Application Programming Interface that lacks restrictions on the number of authentication requests due to the absence of rate limiting. Published on 2026-02-27, it affects components handling charger telemetry and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), mapped to CWE-307 (Improper Restriction of Excessive Authentication Attempts).

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or brute-force attacks to achieve unauthorized access, with primary impact on availability.

CISA ICS Advisory ICSA-26-057-03, along with its CSAF representation on GitHub and the vendor contact page at https://cloudcharge.tech/support/contact/, provide further details on mitigations. Security practitioners should consult these resources for patch information and recommended actions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…

more

access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1499.002 Service Exhaustion Flood Impact
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
Why these techniques?

Lack of rate limiting on authentication requests directly enables brute-force credential access (T1110) and service exhaustion DoS via flooding (T1499.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20781Same product: Cloudcharge Cloudcharge.Se
CVE-2026-27652Same product: Cloudcharge Cloudcharge.Se
CVE-2026-24696Shared CWE-307
CVE-2026-45364Shared CWE-307
CVE-2025-69246Shared CWE-307
CVE-2026-45010Shared CWE-307
CVE-2026-22278Shared CWE-307
CVE-2025-23368Shared CWE-307
CVE-2024-23106Shared CWE-307
CVE-2026-25113Shared CWE-307

Affected Assets

cloudcharge
cloudcharge.se
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces limits on consecutive unsuccessful authentication attempts, mitigating brute-force attacks enabled by unrestricted authentication requests.

prevent

Provides denial-of-service protection mechanisms such as rate limiting to prevent flooding of the WebSocket API with excessive authentication requests that suppress legitimate telemetry.

prevent

Limits concurrent sessions to mitigate resource exhaustion from multiple simultaneous WebSocket connections attempting excessive authentication.

References