Primary

Context

EV2GO WebSocket API Rate Limiting Vulnerability Allowing Denial-of-Service and Brute-Force Attacks

Vulnerability

A vulnerability in the WebSocket API of EV2GO's charging management platform allows for the absence of rate limiting on authentication requests. This flaw could enable an attacker to launch denial-of-service attacks by disrupting or misdirecting legitimate charger telemetry, or to conduct brute-force attacks to gain unauthorized access.

Impact

Exploitation of this vulnerability could lead to denial-of-service conditions by misrouting or suppressing legitimate telemetry from charging stations, causing widespread disruption. Additionally, the lack of rate limiting could be exploited to perform brute-force attacks on authentication mechanisms, potentially leading to unauthorized access.

Remediation

EV2GO did not respond to CISA's request for coordination. Contact EV2GO through their contact page for more information.

Added: Feb 27, 2026, 12:23 AM

Updated: Feb 27, 2026, 12:23 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

3.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

3.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

EV2GO WebSocket API Rate Limiting Vulnerability Allowing Denial-of-Service and Brute-Force Attacks

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating