CVE-2026-20748 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting the WebSocket backend of Everon's api.everon.io service, which manages electric vehicle charging stations. The backend uses charging station identifiers as unique session identifiers; however, it permits multiple endpoints to connect using the same session ID. This design flaw results in predictable and reusable session identifiers, enabling an attacker to hijack or shadow sessions. In a session hijacking scenario, the attacker’s connection displaces the legitimate charging station's connection, allowing the attacker to receive backend commands intended for the legitimate device. This can lead to unauthorized control or manipulation of charging stations. Additionally, the vulnerability can be exploited to cause a denial-of-service (DoS) condition by overwhelming the backend with numerous valid session requests, exhausting resources and disrupting service availability. The vulnerability affects all versions of the product and can be exploited remotely over the network without requiring authentication or user interaction. The CVSS 3.1 base score of 7.3 reflects the ease of exploitation and the potential impact on confidentiality, integrity, and availability. No patches or known exploits are currently reported, but the vulnerability poses a significant risk to the security of EV charging infrastructure managed via Everon's API.

The vulnerability can have severe consequences for organizations operating electric vehicle charging infrastructure using Everon's api.everon.io. Successful exploitation allows attackers to impersonate legitimate charging stations, potentially manipulating charging sessions, disrupting billing, or causing operational failures. This undermines the integrity and reliability of EV charging services and can damage customer trust. The session hijacking can also lead to unauthorized access to backend commands, risking further compromise of the infrastructure. The denial-of-service potential can disrupt service availability, impacting large numbers of users and causing financial and reputational damage. Given the critical role of EV charging infrastructure in energy and transportation sectors, such disruptions can have cascading effects on smart grid operations and urban mobility. The vulnerability's network-based, no-authentication exploitation vector increases the risk of widespread attacks, especially if threat actors develop automated tools. Organizations may face regulatory and compliance challenges if customer data or service availability is impacted.

To mitigate CVE-2026-20748, organizations should implement the following specific measures: 1) Enforce strict session management by ensuring session identifiers are unique, unpredictable, and bound to a single active connection to prevent session shadowing. 2) Implement robust session expiration and invalidation mechanisms to prevent reuse of stale session IDs. 3) Introduce mutual authentication between charging stations and the backend to verify the legitimacy of connections before accepting commands. 4) Rate-limit session initiation requests to mitigate denial-of-service attempts caused by flooding with valid session requests. 5) Monitor WebSocket connections for anomalies such as multiple connections using the same session ID or unusual connection patterns. 6) Work with Everon to obtain patches or updates addressing this vulnerability as they become available. 7) Employ network-level protections such as Web Application Firewalls (WAFs) configured to detect and block suspicious WebSocket traffic. 8) Conduct regular security assessments and penetration testing focused on session management and WebSocket communication security. These targeted actions go beyond generic advice and address the root causes of the vulnerability.