CVE-2026-27778
Published: 06 March 2026
Summary
CVE-2026-27778 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Epower Epower.Ie. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2026-27778 is a vulnerability in the WebSocket Application Programming Interface that lacks restrictions on the number of authentication requests due to the absence of rate limiting. Published on 2026-03-06, it is associated with CWE-307 (Improper Restriction of Excessive Authentication Attempts) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), emphasizing high availability impact with no confidentiality or integrity effects. The issue affects components involved in processing charger telemetry.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity by flooding the interface with excessive authentication requests. This enables denial-of-service attacks that suppress or mis-route legitimate charger telemetry, disrupting operations, or facilitates brute-force attacks to achieve unauthorized access.
Advisories provide mitigation guidance, including CISA ICS Advisory ICSA-26-062-07 (with CSAF JSON at the GitHub repository), which details patches and workarounds, as well as the ePower support page at https://epower.ie/support/. Security practitioners should consult these references for vendor-specific remediation steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9943
Vulnerability details
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…
more
access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lack of rate limiting on WebSocket auth requests directly enables password guessing brute force (T1110.001) and application-layer service exhaustion DoS (T1499.003) against telemetry processing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-7 limits unsuccessful logon attempts, directly addressing the lack of restrictions on authentication requests that enable brute-force and DoS attacks.
SC-5 protects against denial-of-service attacks by limiting the effects of flooding the WebSocket API with excessive authentication requests.
SC-6 ensures resource availability for legitimate charger telemetry despite excessive consumption from unlimited authentication requests.