CVE-2026-25945 identifies a security weakness in the EV2GO ev2go.io platform, specifically in its WebSocket Application Programming Interface (API). The vulnerability arises from improper restriction of excessive authentication attempts (CWE-307), meaning the API does not implement rate limiting or throttling mechanisms on authentication requests. This deficiency allows an attacker to flood the authentication endpoint with numerous requests without restriction. The consequences are twofold: first, an attacker can launch denial-of-service (DoS) attacks by saturating the authentication channel, which can suppress or mis-route legitimate telemetry data from electric vehicle chargers, potentially disrupting charging operations and monitoring. Second, the lack of rate limiting facilitates brute-force attacks, where an attacker systematically attempts many credential combinations to gain unauthorized access to the system. The vulnerability affects all versions of the ev2go.io product and can be exploited remotely over the network without requiring prior authentication or user interaction, increasing the attack surface. The CVSS v3.1 base score of 7.5 reflects the high severity, driven by network attack vector, low attack complexity, no privileges required, and no user interaction needed, with a significant impact on availability but no direct confidentiality or integrity impact. Although no known exploits have been reported in the wild yet, the vulnerability poses a substantial risk to organizations using EV2GO's platform for managing electric vehicle charging infrastructure.

The primary impact of CVE-2026-25945 is on the availability of EV2GO's charging infrastructure services. Denial-of-service attacks exploiting this vulnerability can disrupt the telemetry data flow from chargers, leading to operational outages, inaccurate monitoring, and potential loss of control over charging sessions. This disruption can affect electric vehicle users relying on timely and accurate charging services, potentially causing financial and reputational damage to service providers. Additionally, brute-force attacks enabled by the lack of rate limiting may lead to unauthorized access, which could compromise system integrity and allow attackers to manipulate charging operations or access sensitive operational data. Given the critical role of EV2GO in electric vehicle infrastructure, such disruptions can have cascading effects on energy management and customer trust. The ease of exploitation and the broad scope of affected versions increase the risk of widespread impact, especially in regions with significant EV2GO deployment.

To mitigate CVE-2026-25945, EV2GO and affected organizations should implement robust rate limiting and throttling mechanisms on the WebSocket authentication API to restrict the number of authentication attempts per client IP or user account within a defined time window. Employing account lockout policies after a threshold of failed attempts can further reduce brute-force risks. Monitoring and alerting on abnormal authentication request patterns can help detect ongoing attacks early. Additionally, integrating multi-factor authentication (MFA) can significantly enhance security by adding an extra verification layer beyond passwords. Network-level protections such as Web Application Firewalls (WAFs) configured to detect and block excessive authentication attempts should be deployed. Organizations should also ensure timely patching once EV2GO releases updates addressing this vulnerability. In the interim, restricting access to the WebSocket API to trusted networks or VPNs can reduce exposure. Finally, conducting regular security assessments and penetration testing on the authentication mechanisms will help identify and remediate similar issues proactively.