CVE-2026-27778

High

Published: 06 March 2026

Published

06 March 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0003 8.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27778 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Epower Epower.Ie. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Password Guessing (T1110.001) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-7 Unsuccessful Logon Attempts

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

IA-10 Adaptive Authentication

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

T1499.003 Application Exhaustion Flood Impact

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

attack.mitre.org →

Why these techniques?

Lack of rate limiting on WebSocket auth requests directly enables password guessing brute force (T1110.001) and application-layer service exhaustion DoS (T1499.003) against telemetry processing.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…

access.

Deeper analysisAI

CVE-2026-27778 is a vulnerability in the WebSocket Application Programming Interface that lacks restrictions on the number of authentication requests due to the absence of rate limiting. Published on 2026-03-06, it is associated with CWE-307 (Improper Restriction of Excessive Authentication Attempts) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), emphasizing high availability impact with no confidentiality or integrity effects. The issue affects components involved in processing charger telemetry.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity by flooding the interface with excessive authentication requests. This enables denial-of-service attacks that suppress or mis-route legitimate charger telemetry, disrupting operations, or facilitates brute-force attacks to achieve unauthorized access.

Advisories provide mitigation guidance, including CISA ICS Advisory ICSA-26-062-07 (with CSAF JSON at the GitHub repository), which details patches and workarounds, as well as the ePower support page at https://epower.ie/support/. Security practitioners should consult these references for vendor-specific remediation steps.