CVE-2026-25945 identifies a security weakness in the EV2GO ev2go.io WebSocket API, specifically the absence of restrictions on the number of authentication attempts. This vulnerability falls under CWE-307, which concerns improper restriction of excessive authentication attempts. The WebSocket API allows clients to authenticate without any rate limiting or throttling controls, enabling attackers to flood the system with authentication requests. Such behavior can lead to denial-of-service (DoS) conditions by overwhelming the system or causing legitimate charger telemetry data to be suppressed or misrouted. Additionally, the lack of rate limiting facilitates brute-force attacks, where attackers systematically try many credentials to gain unauthorized access. The vulnerability affects all versions of the ev2go.io product and requires no privileges or user interaction to exploit, increasing its risk profile. Although no active exploits have been reported, the CVSS 3.1 score of 7.5 reflects a high severity due to network attack vector, low attack complexity, no privileges required, and no user interaction needed. The primary impact is on availability, with no direct confidentiality or integrity loss indicated. The vulnerability was published on February 26, 2026, and is assigned by ICS-CERT, highlighting its relevance to industrial control or critical infrastructure environments. EV2GO is a platform used for managing electric vehicle charging stations, making this vulnerability particularly critical for organizations operating EV infrastructure.

The vulnerability can severely impact organizations relying on EV2GO's ev2go.io platform for electric vehicle charging management. A successful denial-of-service attack could disrupt the availability of charging services by suppressing or misrouting telemetry data, leading to operational downtime and loss of service reliability. This disruption can affect end-users who depend on timely and accurate charging station status, potentially causing customer dissatisfaction and financial losses. Furthermore, the possibility of brute-force attacks to gain unauthorized access raises concerns about unauthorized control or manipulation of charging infrastructure, which could lead to safety risks or further service disruptions. The absence of authentication or user interaction requirements makes the attack easier to execute remotely over the network, increasing the threat surface. Given the growing adoption of EV infrastructure globally, the impact extends to critical transportation and energy sectors, potentially affecting grid stability and public trust in EV services.

To mitigate this vulnerability, EV2GO and affected organizations should implement strict rate limiting and throttling mechanisms on the WebSocket API authentication endpoints to restrict the number of authentication attempts per client or IP address within a defined time window. Deploying Web Application Firewalls (WAFs) or API gateways with anomaly detection capabilities can help identify and block excessive authentication requests. Monitoring authentication logs for unusual patterns or spikes in failed attempts is essential for early detection of brute-force or DoS attempts. Network-level protections such as IP reputation filtering, geo-blocking of suspicious regions, and use of CAPTCHA or multi-factor authentication (MFA) where feasible can further reduce risk. EV2GO should prioritize releasing patches or updates that enforce these controls and communicate best practices to customers. Organizations should also conduct regular security assessments and penetration tests on their EV infrastructure to identify and remediate similar weaknesses proactively.