CVE-2026-27778 identifies a vulnerability in the WebSocket Application Programming Interface of the ePower epower.ie product, where there is an absence of restrictions on the number of authentication requests. This vulnerability is classified under CWE-307, which relates to improper restriction of excessive authentication attempts. The lack of rate limiting allows an attacker to flood the authentication mechanism with numerous requests, potentially leading to denial-of-service (DoS) conditions by suppressing or mis-routing legitimate charger telemetry data. Additionally, the vulnerability facilitates brute-force attacks, where an attacker can repeatedly attempt authentication to gain unauthorized access without any imposed limits. The vulnerability affects all versions of epower.ie and can be exploited remotely without requiring any privileges or user interaction. The CVSS v3.1 base score is 7.5 (high), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and an impact limited to availability. Although no known exploits have been reported in the wild, the potential for disruption of critical telemetry data in charging infrastructure presents a significant risk. The vulnerability highlights the importance of implementing rate limiting and robust authentication controls in WebSocket APIs, especially in industrial control and telemetry systems.

The primary impact of CVE-2026-27778 is on the availability of the ePower epower.ie system, which is used for charger telemetry. Successful exploitation can lead to denial-of-service conditions, disrupting the flow of telemetry data that is critical for monitoring and managing charging infrastructure. This disruption can cause operational downtime, delayed response to charger faults, and potential cascading effects on energy management systems relying on accurate telemetry. Furthermore, the ability to conduct brute-force attacks without restriction increases the risk of unauthorized access, which could lead to further exploitation or manipulation of the charging infrastructure. Organizations worldwide that depend on epower.ie for telemetry and control may face operational interruptions, reputational damage, and financial losses. The lack of confidentiality and integrity impact reduces the risk of data leakage or tampering, but availability degradation alone can have severe consequences in critical infrastructure environments.

To mitigate CVE-2026-27778, organizations should implement strict rate limiting on authentication requests within the WebSocket API to prevent excessive attempts that could lead to denial-of-service or brute-force attacks. This can be achieved by configuring application-level throttling mechanisms or deploying Web Application Firewalls (WAFs) capable of detecting and blocking abnormal authentication request patterns. Additionally, implementing account lockout policies or progressive delays after failed authentication attempts will reduce brute-force risks. Monitoring and logging authentication attempts are crucial for early detection of attack patterns. Network segmentation and restricting access to the WebSocket API to trusted IP ranges can further reduce exposure. Vendors should be engaged to provide patches or updates that introduce built-in rate limiting and enhanced authentication controls. Until patches are available, organizations should consider temporary compensating controls such as API gateways with rate limiting and anomaly detection. Regular security assessments and penetration testing focused on authentication mechanisms are recommended to identify and remediate similar vulnerabilities proactively.