Multiople Flaws Reported in Mobiliti EV Charging Infrastructure

CISA reports multiple flaws in the e-mobi.hu infrastructure if Mobiliti, a Hungarian electric vehicle charging provider

Vulnerabilities summary:

• CVE-2026-26051 (CVSS score 9.4) - A missing authentication vulnerability in WebSocket endpoints that allows unauthenticated attackers to connect to the OCPP backend. By using a discovered charging station identifier, an attacker can impersonate a legitimate charger to issue or receive commands. This leads to privilege escalation and unauthorized control of the charging infrastructure.
• CVE-2026-20882 (CVSS score 7.5) - An improper restriction of authentication attempts in the WebSocket API that lacks rate limiting. Attackers can use this to run brute-force attacks or launch denial-of-service (DoS) attacks by suppressing legitimate telemetry data. This disrupts the communication between the charger and the management backend.
• CVE-2026-27764 (CVSS score 7.3) - An insufficient session expiration flaw that allows multiple endpoints to connect using the same session identifier. This enables session shadowing, where a malicious connection displaces a legitimate one to intercept backend commands. Attackers can use this to hijack active sessions or overwhelm the backend with valid requests.
• CVE-2026-27777 (CVSS score 6.5) - An insufficiently protected credentials vulnerability where charging station authentication identifiers are publicly accessible. These identifiers are exposed through web-based mapping platforms, providing the necessary primitives for the impersonation attacks described in other CVEs.

All versions of the Mobiliti e-mobi.hu platform are currently affected. CISA reported that Mobiliti did not respond to coordination requests, so no official firmware updates or patches are available at this time.