CVE-2026-24912 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting the ePower epower.ie product. The issue arises from the WebSocket backend's use of charging station identifiers as session identifiers, which are predictable and allow multiple endpoints to connect simultaneously using the same session ID. This design flaw permits session hijacking or session shadowing attacks, where an attacker’s connection can displace the legitimate charging station’s session and receive backend commands intended for that station. The vulnerability also enables a denial-of-service (DoS) condition by allowing an attacker to flood the backend with numerous valid session requests, overwhelming system resources. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk. The CVSS v3.1 base score is 7.3, reflecting high severity with network attack vector, low attack complexity, no privileges required, and impacts on confidentiality, integrity, and availability. The vulnerability affects all versions of epower.ie, and no patches or known exploits are currently reported. The root cause is insufficient session management and predictable session identifiers in the WebSocket implementation, violating secure session handling best practices.

This vulnerability can have significant impacts on organizations operating ePower epower.ie charging station management systems. Unauthorized session hijacking could allow attackers to impersonate legitimate charging stations, potentially manipulating charging commands, disrupting operations, or gaining unauthorized access to system functions. This compromises confidentiality and integrity of communications between backend and charging stations. Additionally, the ability to cause denial-of-service by flooding the backend with session requests can disrupt service availability, impacting business continuity and customer trust. Given the critical role of charging infrastructure in energy and transportation sectors, exploitation could lead to operational disruptions, financial losses, and reputational damage. The lack of authentication and user interaction requirements increases the likelihood of exploitation, especially in environments exposed to the internet or untrusted networks.

To mitigate this vulnerability, organizations should implement the following specific measures: 1) Update the WebSocket backend to use cryptographically secure, unpredictable session identifiers that are unique per connection and expire appropriately to prevent reuse or session shadowing. 2) Enforce strict session management policies that disallow multiple simultaneous connections using the same session identifier. 3) Implement backend rate limiting and connection throttling to mitigate denial-of-service attempts by limiting the number of concurrent sessions from a single source or overall. 4) Employ mutual authentication mechanisms between charging stations and backend to ensure only authorized devices can establish sessions. 5) Monitor WebSocket connections for anomalous behavior such as rapid reconnections or multiple connections from the same session ID. 6) If available, apply vendor patches or updates addressing this vulnerability as soon as they are released. 7) Segment the network to restrict access to the WebSocket backend only to trusted devices and networks. 8) Conduct regular security assessments and penetration testing focused on session management and WebSocket implementations.