CVE-2026-31904

High

Published: 20 March 2026

Published

20 March 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0009 25.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31904 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Ctek Charge Portal. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Password Guessing (T1110.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

Directly enforces limits on consecutive unsuccessful authentication attempts, preventing both brute-force attacks and DoS via excessive auth requests on the WebSocket API.

SC-5 Denial-of-service Protection good match

prevent

Provides denial-of-service protection mechanisms, such as rate limiting, to mitigate resource exhaustion from unlimited authentication requests targeting charger telemetry.

SC-6 Resource Availability partial match

prevent

Ensures resource availability by allocating limits to system resources, reducing the impact of DoS attacks that deplete capacity through authentication flooding.

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

T1499.003 Application Exhaustion Flood Impact

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

attack.mitre.org →

Why these techniques?

Lack of rate limiting on WebSocket auth requests directly enables password guessing via brute force (T1110.001) and application exhaustion DoS via excessive requests (T1499.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…

access.

Deeper analysisAI

CVE-2026-31904 is a vulnerability in the WebSocket Application Programming Interface that lacks restrictions on the number of authentication requests, resulting in no rate limiting. This issue, associated with CWE-307 (Improper Restriction of Excessive Authentication Attempts), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). It affects components involved in charger telemetry processing, as indicated by advisories from CISA and CTEK.

Unauthenticated attackers with network access can exploit this vulnerability due to its low complexity and lack of prerequisites. By sending excessive authentication requests, they can conduct denial-of-service attacks that suppress or mis-route legitimate charger telemetry data. Additionally, the absence of rate limiting enables brute-force attacks to attempt unauthorized access.

Mitigation details are provided in official advisories, including CISA ICSA-26-078-06 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06), the corresponding CSAF JSON file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json), and CTEK support resources (https://www.ctek.com/support). Security practitioners should consult these for patching instructions and workarounds.