CVE-2026-27647 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting the WebSocket backend of Mobility46's mobility46.se product. The backend uses charging station identifiers as session identifiers to uniquely associate sessions. However, the implementation allows multiple endpoints to connect using the same session identifier, which are also predictable. This design flaw enables session hijacking or shadowing attacks, where an attacker can establish a new connection with the same session ID, displacing the legitimate charging station. Consequently, the attacker can receive backend commands intended for the legitimate device, effectively impersonating it. Additionally, the vulnerability allows an attacker to overwhelm the backend with valid session requests, potentially causing a denial-of-service condition. The vulnerability requires no privileges or user interaction, and it affects all versions of the product. The CVSS v3.1 score is 7.3 (high), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. No patches or known exploits are currently documented, but the risk remains due to the fundamental session management flaw.

This vulnerability poses a significant risk to organizations deploying Mobility46 charging station infrastructure. Unauthorized session hijacking can lead to attackers impersonating legitimate charging stations, potentially manipulating charging operations, disrupting service, or gaining unauthorized access to backend systems. The ability to displace legitimate devices can cause operational disruptions and undermine trust in the charging network. Moreover, the potential for denial-of-service by flooding the backend with session requests can degrade or halt charging services, impacting customer experience and operational continuity. Given the critical role of charging stations in electric vehicle infrastructure, such disruptions could have broader implications for energy management and transportation sectors. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the threat surface. Organizations worldwide relying on this product or similar session management schemes are at risk of confidentiality breaches, integrity violations, and availability outages.

To mitigate CVE-2026-27647, organizations should implement the following specific actions: 1) Enforce unique, unpredictable session identifiers that cannot be reused or guessed, ideally using cryptographically secure random values. 2) Restrict session concurrency by allowing only one active connection per session identifier to prevent session shadowing. 3) Implement robust session expiration and invalidation mechanisms to ensure stale sessions cannot be reused. 4) Introduce backend validation to detect and block multiple simultaneous connections using the same session ID. 5) Monitor WebSocket connections for abnormal patterns indicative of session hijacking or flooding attacks. 6) Apply network-level rate limiting and anomaly detection to mitigate denial-of-service attempts targeting session establishment. 7) Coordinate with Mobility46 for official patches or updates addressing this vulnerability once available. 8) Consider deploying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block suspicious WebSocket traffic. 9) Conduct regular security assessments and penetration testing focused on session management and WebSocket communication. These targeted mitigations go beyond generic advice by focusing on session uniqueness, concurrency control, and proactive monitoring tailored to the vulnerability's nature.