CVE-2026-25778 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting all versions of SWITCH EV's WebSocket backend for swtchenergy.com. The backend uses charging station identifiers as unique session identifiers; however, it permits multiple endpoints to connect using the same session ID. This design flaw results in predictable session identifiers and allows session hijacking or shadowing attacks. In such attacks, the most recent connection with a given session ID can displace the legitimate charging station connection, thereby intercepting backend commands intended for the legitimate device. This vulnerability can be exploited remotely without authentication or user interaction, increasing its risk profile. Attackers can impersonate legitimate charging stations, potentially manipulating charging operations or causing operational disruptions. Additionally, the vulnerability can be leveraged to launch denial-of-service attacks by overwhelming the backend with numerous valid session requests, exhausting resources and denying service to legitimate users. The CVSS v3.1 score of 7.3 reflects the high severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability impacts confidentiality, integrity, and availability of the charging station management system, which is critical infrastructure in the electric vehicle ecosystem. No patches or exploits are currently reported, but the risk remains significant due to the nature of the flaw and the criticality of the affected systems.

The vulnerability could have severe impacts on organizations operating SWITCH EV charging infrastructure globally. Unauthorized session hijacking can lead to attackers impersonating legitimate charging stations, potentially manipulating charging sessions, causing incorrect billing, or disrupting charging availability. This undermines trust in the charging network and could lead to financial losses and reputational damage. The ability to displace legitimate connections also risks operational integrity, as commands intended for authorized devices may be intercepted or blocked. Furthermore, the potential for denial-of-service attacks by flooding the backend with session requests could disrupt service availability, affecting end-users and causing widespread outages. Given the increasing reliance on electric vehicle infrastructure, such disruptions could have cascading effects on transportation and energy sectors. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of attacks, especially in environments where the backend is exposed to the internet or untrusted networks. Organizations may face regulatory and compliance challenges if such vulnerabilities lead to data breaches or service interruptions.

To mitigate CVE-2026-25778, organizations should implement the following specific measures: 1) Enforce unique session identifiers per connection and prevent multiple simultaneous connections using the same session ID to eliminate session shadowing. 2) Implement robust session expiration and invalidation mechanisms to ensure stale sessions cannot be reused or hijacked. 3) Introduce cryptographically secure, unpredictable session tokens instead of using predictable charging station identifiers. 4) Apply strict backend validation to verify the legitimacy of session requests and reject duplicates or suspicious connections. 5) Employ rate limiting and anomaly detection on the WebSocket backend to detect and block flooding attempts that could lead to denial-of-service. 6) Restrict backend access to trusted networks or use VPNs and strong authentication to reduce exposure. 7) Monitor logs for unusual session activity or repeated session displacement events. 8) Engage with SWITCH EV for official patches or updates addressing this vulnerability and apply them promptly once available. 9) Conduct regular security assessments and penetration testing focused on session management controls. 10) Educate operational teams about the risks of session hijacking and the importance of secure session handling in EV infrastructure.