CVE-2026-24445 identifies a vulnerability in the ev.energy product's WebSocket API, which lacks restrictions on the number of authentication requests an entity can make. This absence of rate limiting (CWE-307) allows an attacker to flood the authentication mechanism with excessive requests. Such behavior can lead to denial-of-service (DoS) conditions by suppressing or mis-routing legitimate charger telemetry data, which is critical for the proper operation and monitoring of electric vehicle charging infrastructure. Additionally, the lack of rate limiting facilitates brute-force attacks against authentication mechanisms, potentially enabling unauthorized access if weak credentials are used. The vulnerability affects all versions of ev.energy and can be exploited remotely without requiring prior authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and an impact limited to availability. Although no public exploits are known at this time, the vulnerability poses a significant risk to the availability of EV charging services managed by ev.energy, which could disrupt EV charging operations and impact users relying on this infrastructure. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations and monitoring.

The primary impact of CVE-2026-24445 is on the availability of EV charging services managed by ev.energy. A successful denial-of-service attack could disrupt telemetry data flow, causing chargers to malfunction or become unresponsive, leading to service outages and user dissatisfaction. This disruption could have cascading effects on EV fleet operations, public charging stations, and energy management systems relying on accurate telemetry. The potential for brute-force attacks raises concerns about unauthorized access, which could lead to further exploitation or manipulation of charging infrastructure, though confidentiality and integrity impacts are not directly indicated. Organizations worldwide that depend on ev.energy for EV charging management could face operational downtime, financial losses, and reputational damage. The vulnerability also poses risks to critical infrastructure sectors promoting EV adoption as part of energy transition strategies, potentially affecting energy grid stability and smart city initiatives.

To mitigate CVE-2026-24445, organizations should implement strict rate limiting on authentication requests at the WebSocket API level to prevent abuse. Deploying Web Application Firewalls (WAFs) or API gateways capable of detecting and throttling excessive authentication attempts can reduce the risk of DoS and brute-force attacks. Monitoring and alerting on abnormal authentication patterns will help identify potential exploitation attempts early. Employing strong authentication mechanisms, such as multi-factor authentication (MFA), can further reduce the risk of unauthorized access. Network segmentation and limiting exposure of the WebSocket API to trusted networks or VPNs can reduce the attack surface. Organizations should stay in close contact with EV Energy for patches or updates addressing this vulnerability and apply them promptly once available. Additionally, conducting regular security assessments and penetration testing on EV charging infrastructure can help identify and remediate similar issues proactively.