CVE-2026-27764 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting all versions of the Mobiliti e-mobi.hu product. The core issue lies in the WebSocket backend implementation, which uses charging station identifiers as session identifiers but allows multiple endpoints to connect using the same session ID. This design flaw results in predictable session identifiers and permits session hijacking or shadowing attacks. In such attacks, a malicious actor can connect using the same session ID as a legitimate charging station, effectively displacing the legitimate connection and intercepting backend commands intended for that station. This compromises the confidentiality and integrity of communications between the backend and charging stations. Additionally, the vulnerability can be leveraged to launch denial-of-service (DoS) attacks by flooding the backend with numerous valid session requests, overwhelming system resources and disrupting service availability. The CVSS v3.1 score of 7.3 reflects the network attack vector, low attack complexity, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability. Although no exploits have been reported in the wild, the vulnerability poses a significant risk due to the critical role of charging stations in energy infrastructure and potential for unauthorized control or disruption.

The vulnerability threatens the confidentiality, integrity, and availability of charging station management systems using Mobiliti e-mobi.hu. Unauthorized session hijacking could allow attackers to impersonate legitimate charging stations, potentially manipulating charging operations, causing incorrect billing, or disrupting energy distribution. The ability to displace legitimate sessions undermines trust in the system and may lead to operational failures. The DoS potential could cause widespread service outages, affecting end-users relying on electric vehicle charging infrastructure. Given the increasing adoption of electric vehicles and smart charging networks, this vulnerability could have cascading effects on energy management and user experience. Organizations operating or managing charging stations with this product face risks of unauthorized access, operational disruption, reputational damage, and potential regulatory consequences if service reliability or data privacy is compromised.

To mitigate CVE-2026-27764, organizations should implement the following specific measures: 1) Enforce unique, unpredictable session identifiers that cannot be reused or guessed, ensuring that each session is bound to a single endpoint. 2) Implement strict session management policies that invalidate previous sessions upon new connections using the same identifier to prevent session shadowing. 3) Introduce authentication and authorization mechanisms at the WebSocket connection level to verify the legitimacy of connecting endpoints before allowing session establishment. 4) Monitor and rate-limit connection attempts to the backend to detect and prevent flooding or DoS attacks. 5) Employ network-level protections such as Web Application Firewalls (WAFs) and anomaly detection systems to identify suspicious session behavior. 6) Coordinate with Mobiliti for patches or updates addressing this vulnerability, and apply them promptly once available. 7) Conduct regular security assessments and penetration testing focused on session management and WebSocket communications to identify and remediate similar weaknesses. 8) Educate operational staff about the risks of session hijacking and the importance of monitoring charging station connectivity patterns.