CVE-2026-24445 is a vulnerability identified in the ev.energy product by EV Energy, impacting all versions of the software. The root cause is the absence of rate limiting on the WebSocket API's authentication requests, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). This flaw allows an attacker to send an unlimited number of authentication requests without restriction. Consequently, attackers can launch denial-of-service (DoS) attacks by overwhelming the system, suppressing, or mis-routing legitimate charger telemetry data, which is critical for managing electric vehicle charging sessions. Additionally, the lack of rate limiting facilitates brute-force attacks aimed at guessing authentication credentials to gain unauthorized access. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting high severity primarily due to its impact on availability (A:H), with no impact on confidentiality or integrity (C:N/I:N). The attack vector is network-based (AV:N), requiring no privileges (PR:N) or user interaction (UI:N), and the scope remains unchanged (S:U). Although no known exploits have been reported in the wild, the vulnerability poses a significant risk given the increasing reliance on connected EV charging infrastructure. The WebSocket API is a critical communication channel for real-time telemetry and control commands, making its protection essential to maintain operational continuity and security. The vulnerability was published on February 27, 2026, and remains unpatched as no patch links are provided. Organizations using ev.energy must urgently address this issue to prevent service disruption and unauthorized access.

The primary impact of CVE-2026-24445 is on the availability of the ev.energy charging management system. Attackers can conduct denial-of-service attacks by flooding the WebSocket API with authentication requests, which can suppress or mis-route legitimate telemetry data from EV chargers. This disruption can lead to inaccurate charging data, potential charging failures, and degraded user experience. Additionally, the vulnerability enables brute-force attacks against authentication mechanisms, risking unauthorized access to the system. Unauthorized access could allow attackers to manipulate charging sessions, potentially causing financial loss or operational disruption. Given the critical role of EV charging infrastructure in transportation and energy management, widespread exploitation could affect grid stability and user trust. The vulnerability affects all versions of ev.energy, indicating a broad attack surface. Since no authentication or user interaction is required for exploitation, the attack can be automated and launched remotely, increasing the risk and scale of potential attacks. Organizations relying on ev.energy for EV charging management worldwide face operational risks, especially those with large EV fleets or public charging networks.

To mitigate CVE-2026-24445, organizations should implement strict rate limiting on the WebSocket API authentication requests to prevent excessive attempts from a single source. This can be achieved by configuring WebSocket servers or deploying API gateways that enforce request thresholds and temporarily block or throttle suspicious clients. Additionally, implementing account lockout policies after a defined number of failed authentication attempts can reduce brute-force risks. Monitoring WebSocket traffic for unusual patterns or spikes in authentication requests is critical to detect ongoing attacks early. Employing anomaly detection systems or intrusion detection/prevention systems (IDS/IPS) tailored to WebSocket protocols can enhance visibility. Organizations should also consider multi-factor authentication (MFA) to strengthen authentication security. Network segmentation and firewall rules restricting access to the WebSocket API to trusted sources can reduce exposure. Since no official patches are available yet, these compensating controls are essential. Finally, organizations should maintain up-to-date incident response plans specific to EV charging infrastructure and coordinate with EV Energy for timely patch deployment once available.