Mobiliti WebSocket Authentication Vulnerability Allowing Unauthorized Control of Charging Stations
Vulnerability
A vulnerability exists in the WebSocket endpoints of Mobiliti's e-mobi.hu platform, where proper authentication mechanisms are lacking. This flaw enables unauthorized station impersonation and manipulation of data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier and issue or receive OCPP commands as if they were a legitimate charger. The absence of authentication could lead to privilege escalation, unauthorized control over charging infrastructure, and corruption of charging network data reported to the backend.
Impact
Exploitation of this vulnerability could allow unauthorized administrative control over affected charging stations or disrupt charging services, causing denial-of-service conditions.
Remediation
Mobiliti did not respond to CISA's request for coordination. For more information, contact Mobiliti through their customer support page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.