EV Energy WebSocket Session Hijacking Vulnerability
Vulnerability
A vulnerability in the WebSocket backend of EV Energy's charging station management system allows for session hijacking or shadowing. The issue arises because the system uses charging station identifiers to associate sessions but permits multiple endpoints to connect using the same identifier. This flaw leads to predictable session identifiers, where the most recent connection can displace the legitimate charging station and intercept backend commands intended for it. As a result, unauthorized users could authenticate as other users or a malicious actor could overwhelm the backend with valid session requests, causing a denial-of-service condition.
Impact
Exploitation of this vulnerability could enable session hijacking, allowing an attacker to impersonate a charging station and intercept commands meant for it. Additionally, it could lead to a denial-of-service condition by flooding the backend with session requests.
Remediation
EV Energy did not respond to CISA's request for coordination. Contact EV Energy using their contact page for more information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.