Critical Authentication and Session Flaws Discovered in Mobility46 EV Charging Stations

CISA reports multiple flaws in Mobility46, a Swedish provider of electric vehicle charging solutions, at least one critical.

Successful exploitation allows attackers to gain full administrative control over EV charging infrastructure. This could result in the manipulation of charging parameters, theft of services, or large-scale denial-of-service across transportation networks. Because these systems are part of critical energy and transportation sectors, a compromise could disrupt public infrastructure and corrupt financial reporting data sent to the backend. The lack of rate limiting further allows attackers to misroute telemetry, hiding malicious activity from operators.

Vulnerabilities summary:

• CVE-2026-27028 (CVSS score 9.4) - A missing authentication vulnerability in WebSocket endpoints that allows unauthenticated attackers to impersonate charging stations. By connecting to the OCPP WebSocket endpoint with a known identifier, an attacker can send and receive commands as a legitimate charger, leading to privilege escalation and backend data corruption.
• CVE-2026-26305 (CVSS score 7.5) - An improper restriction of authentication attempts in the WebSocket API that enables denial-of-service attacks. Attackers can flood the system with requests to suppress legitimate telemetry or conduct brute-force attacks to gain unauthorized access.
• CVE-2026-27647 (CVSS score 7.3) - An insufficient session expiration flaw where the backend allows multiple endpoints to use the same predictable session identifier. This mechanism enables session hijacking or shadowing, where a new connection displaces a legitimate station to intercept backend commands.
• CVE-2026-22878 (CVSS score 6.5) - An information disclosure issue where charging station authentication identifiers are publicly accessible via web-based mapping platforms. Attackers can use these leaked credentials to facilitate the exploitation of the other WebSocket-based vulnerabilities.

The vulnerabilities impact all versions of the Mobility46 mobility46.se platform. CISA notes that the vendor did not respond to coordination requests, meaning no official firmware patches are currently available from the manufacturer. 

Since no vendor fix exists, organizations must use strict network security controls to protect vulnerable hardware. Administrators should isolate charging station networks behind firewalls and ensure they are not reachable from the public internet. If remote access is necessary, use a secure VPN.