CVE-2026-20748 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting the Everon api.everon.io WebSocket backend. The system uses charging station identifiers as session identifiers to uniquely associate sessions. However, the implementation allows multiple endpoints to connect using the same session identifier, making these identifiers predictable and reusable. This design flaw enables session hijacking or session shadowing attacks, where an attacker can connect using the same session ID and displace the legitimate charging station connection. Consequently, the attacker can receive backend commands intended for the legitimate station, potentially manipulating charging operations or extracting sensitive information. Furthermore, the vulnerability can be exploited to launch denial-of-service attacks by flooding the backend with numerous valid session requests, overwhelming system resources. The vulnerability affects all versions of the Everon api.everon.io product, requires no privileges or user interaction to exploit, and has a CVSS 3.1 score of 7.3, indicating high severity. No patches or known exploits are currently reported, but the risk remains significant due to the critical nature of session management in this infrastructure.

The vulnerability poses a serious risk to organizations relying on Everon's api.everon.io for managing electric vehicle charging stations. Successful exploitation can lead to unauthorized access to backend commands, allowing attackers to impersonate legitimate charging stations, potentially manipulating charging sessions, causing financial loss, or disrupting service availability. The session hijacking can compromise confidentiality and integrity of communications between charging stations and backend systems. Additionally, denial-of-service attacks can degrade or completely disrupt charging infrastructure operations, impacting service availability and customer trust. Given the increasing reliance on EV infrastructure worldwide, such disruptions could have cascading effects on energy management and transportation services. The ease of exploitation without authentication or user interaction further amplifies the threat, making it accessible to remote attackers. Organizations may face operational downtime, reputational damage, and regulatory scrutiny if the vulnerability is exploited.

To mitigate CVE-2026-20748, organizations should implement the following specific measures: 1) Enforce unique, unpredictable session identifiers that cannot be reused or guessed, ensuring that only one active session per charging station identifier is allowed at any time. 2) Implement strict session expiration and invalidation policies to prevent stale or duplicated sessions. 3) Introduce mutual authentication mechanisms between charging stations and the backend to verify the legitimacy of connections before accepting commands. 4) Monitor WebSocket connections for abnormal patterns such as multiple simultaneous connections using the same identifier or excessive session requests indicative of DoS attempts. 5) Employ rate limiting and connection throttling on the backend to mitigate flooding attacks. 6) If possible, isolate critical backend components behind additional authentication layers or network segmentation to reduce exposure. 7) Engage with Everon for updates or patches addressing this vulnerability and apply them promptly once available. 8) Conduct regular security assessments and penetration testing focused on session management and WebSocket communication security. These targeted actions go beyond generic advice and address the root causes of the vulnerability.