Mobiliti e-mobi.hu EV Chargers: Critical Auth Bypass & DoS Vulnerabilities

Critical Vulnerabilities Impact Mobiliti e-mobi.hu EV Charging Stations

Runtime Rebel analysts have identified critical security vulnerabilities affecting all versions of Mobiliti e-mobi.hu electric vehicle (EV) charging stations. These flaws, as detailed in CISA’s ICS Advisory ICSA-26-062-06, could allow unauthenticated attackers to gain administrative control over vulnerable charging stations or disrupt critical charging services through denial-of-service attacks. The implications for critical infrastructure, particularly in the Energy and Transportation Systems sectors globally, are significant.

The widespread deployment of Mobiliti e-mobi.hu charging stations amplifies the potential impact of these issues. Attackers exploiting these weaknesses could manipulate charging data, impersonate legitimate chargers, or render stations inoperable, posing a direct threat to the reliability and security of EV charging infrastructure.

Technical Analysis of Mobiliti e-mobi.hu EV Charging Station Vulnerabilities

CISA’s advisory highlights four distinct vulnerabilities, each contributing to a cumulative risk profile. The most severe, CVE-2026-26051, carries a CVSS v3.1 base score of 9.4, classifying it as CRITICAL.

Addressing Unauthorized Control of Charging Infrastructure via CVE-2026-26051

This critical vulnerability stems from CWE-306: Missing Authentication for Critical Function within the WebSocket endpoints of Mobiliti e-mobi.hu. Attackers can connect to the OCPP (Open Charge Point Protocol) WebSocket endpoint without authentication, leveraging a known or discoverable charging station identifier. This allows them to issue or receive OCPP commands as if they were a legitimate charger. Such unauthorized access can lead to Privilege Escalation, complete control over the charging infrastructure, and the corruption of data reported to the backend. This is a primary avenue for gaining unauthorized control of charging infrastructure, enabling malicious actors to manipulate availability, pricing, and operational data.

CVE-2026-20882: Excessive Authentication Attempts Leading to DoS

Rated with a CVSS v3.1 score of 7.5 (HIGH), CVE-2026-20882 is categorized under CWE-307: Improper Restriction of Excessive Authentication Attempts. The WebSocket Application Programming Interface (API) lacks proper rate limiting on authentication requests. This oversight creates an opportunity for attackers to conduct denial-of-service attacks by overwhelming the system with requests, suppressing or mis-routing legitimate charger telemetry, or even attempting brute-force attacks to gain illicit access. The lack of proper rate limiting makes it easier for attackers to probe for other weaknesses.

CVE-2026-27764: Insufficient Session Expiration and Hijacking Risks

Another significant issue, CVE-2026-27764, with a CVSS v3.1 score of 7.3 (HIGH), falls under CWE-613: Insufficient Session Expiration. The WebSocket backend uses predictable charging station identifiers for session association, allowing multiple endpoints to connect using the same identifier. This design flaw enables session hijacking or shadowing, where a newer connection can displace a legitimate charging station, receiving commands intended for it. This can lead to unauthorized user authentication or a denial-of-service condition by flooding the backend with valid session requests.

CVE-2026-27777: Publicly Accessible Credentials

The final identified vulnerability, CVE-2026-27777, has a CVSS v3.1 score of 6.5 (MEDIUM) and is related to CWE-522: Insufficiently Protected Credentials. This flaw exposes charging station authentication identifiers publicly via web-based mapping platforms. While not as immediately exploitable as the others, this exposure provides critical reconnaissance data to potential attackers, simplifying the targeting and execution of attacks leveraging the other listed vulnerabilities.

Impact and Recommendations

These Mobiliti e-mobi.hu EV charging station vulnerabilities collectively present a severe risk to the operational technology (OT) environments where these stations are deployed. Successful exploitation could lead to widespread disruption of EV charging services, financial losses for operators and users, and potential safety concerns if charging processes are maliciously interfered with. There are no known public exploitation attempts targeting these specific vulnerabilities reported to CISA at this time.

Mobiliti did not respond to CISA’s coordination efforts regarding these issues, meaning no official patches or specific vendor-provided remediations are available. Consequently, organizations operating these systems must implement robust mitigation strategies for Mobiliti e-mobi.hu critical flaws.

Actionable Recommendations and Mitigations

Security professionals should prioritize the following defensive measures:

• Network Isolation: Minimize network exposure for all control system devices and systems. Ensure they are not directly accessible from the internet. This is a fundamental TTP for securing ICS/OT assets.
• Firewall Segmentation: Place control system networks and remote devices behind firewalls and logically isolate them from corporate or business networks.
• Secure Remote Access: If remote access is essential, use secure methods like Virtual Private Networks (VPNs). Ensure VPNs are updated to the latest versions and recognize that their security is dependent on the connected devices’ posture.
• Contact Vendor: Reach out to Mobiliti directly through their customer support channels (e.g., https://www.mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat) for any future advisories or potential remedies.
• Monitoring and Detection: Implement continuous monitoring of network traffic to and from charging stations to detect unusual activity, such as excessive authentication attempts or unauthorized command issuance. Leverage SIEM and EDR solutions where appropriate to identify anomalous behaviors that could indicate attempted exploitation.
• Risk Assessment: Perform thorough impact analysis and risk assessments before deploying any defensive measures to understand potential operational implications.

CISA’s recommendations emphasize the importance of defense-in-depth strategies for improving Industrial Control Systems cybersecurity. Organizations should consult resources like ICS-TIP-12-146-01B for further guidance on targeted cyber intrusion detection and mitigation. Any suspected malicious activity should be reported to CISA for tracking and correlation.