CVE-2026-25778 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting the WebSocket backend of SWITCH EV's swtchenergy.com platform. The backend uses charging station identifiers as unique session identifiers; however, it permits multiple endpoints to connect simultaneously using the same session ID. This design flaw leads to predictable session identifiers and allows session hijacking or session shadowing attacks. In such attacks, the most recent connection using a given session ID displaces the legitimate charging station's connection, enabling the attacker to receive backend commands intended for the legitimate device. This can result in unauthorized authentication, allowing attackers to impersonate legitimate users or devices. Additionally, attackers can exploit this behavior to launch denial-of-service (DoS) attacks by flooding the backend with numerous valid session requests, overwhelming system resources. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. Although no known exploits have been reported in the wild, the vulnerability's characteristics and CVSS score of 7.3 (high) indicate a significant threat to confidentiality, integrity, and availability of the affected systems. The lack of patch links suggests that fixes may not yet be available, emphasizing the need for immediate mitigation efforts.

The impact of CVE-2026-25778 on organizations worldwide is substantial, especially for those deploying SWITCH EV charging infrastructure. Unauthorized session hijacking can lead to attackers impersonating legitimate charging stations, potentially manipulating charging operations, stealing service, or disrupting energy distribution. This compromises the confidentiality and integrity of operational data and control commands. The session shadowing aspect can cause legitimate devices to lose connectivity, impacting availability and potentially causing service interruptions. The ability to overwhelm the backend with session requests can result in denial-of-service conditions, affecting the reliability of charging services and potentially causing cascading effects in energy management systems. Organizations relying on these systems may face operational disruptions, financial losses, reputational damage, and regulatory compliance issues. The vulnerability's remote exploitability without authentication increases the attack surface, making it attractive to threat actors aiming to disrupt critical infrastructure or conduct fraud.

To mitigate CVE-2026-25778, organizations should implement the following specific measures: 1) Enforce strict session management by ensuring unique, unpredictable session identifiers that cannot be reused or shadowed; 2) Implement session expiration and invalidation mechanisms to prevent stale or duplicate sessions; 3) Restrict concurrent connections using the same session identifier to a single endpoint and monitor for anomalies; 4) Employ WebSocket authentication and authorization controls to validate each connection's legitimacy; 5) Introduce rate limiting and connection throttling on the backend to mitigate denial-of-service attempts; 6) Monitor logs and network traffic for unusual session behaviors indicative of hijacking or flooding; 7) Engage with SWITCH EV for patches or updates addressing this vulnerability and apply them promptly once available; 8) Consider network segmentation and firewall rules to limit exposure of the WebSocket backend to trusted networks or IP ranges; 9) Conduct regular security assessments and penetration testing focused on session management and WebSocket communications; 10) Educate operational staff on recognizing signs of session hijacking or service disruption related to charging infrastructure.