CVE-2026-27778 identifies a security weakness in the WebSocket API of the ePower epower.ie product, where there are no restrictions on the number of authentication requests an entity can make. This lack of rate limiting constitutes a CWE-307 (Improper Restriction of Excessive Authentication Attempts) vulnerability. WebSocket connections are commonly used for real-time communication, and in this context, they facilitate telemetry data exchange and authentication for electric vehicle chargers managed by epower.ie. Without rate limiting, an attacker can flood the authentication endpoint with requests, leading to denial-of-service (DoS) conditions by overwhelming the system or causing legitimate telemetry data to be suppressed or misrouted. Additionally, the absence of throttling enables brute-force attacks against authentication mechanisms, potentially allowing unauthorized access if weak credentials are used. The vulnerability affects all versions of epower.ie, indicating a systemic design flaw. The CVSS 3.1 score of 7.5 (High) reflects the network attack vector, no required privileges or user interaction, and a significant impact on availability, though confidentiality and integrity remain unaffected. No patches are currently listed, and no exploits have been observed in the wild, but the risk remains substantial due to the critical nature of the service and ease of exploitation.

The primary impact of this vulnerability is on the availability of the epower.ie service, which manages electric vehicle charger telemetry and authentication. Successful exploitation can lead to denial-of-service conditions, disrupting the flow of telemetry data essential for monitoring and managing charging infrastructure. This disruption can cause operational downtime, loss of real-time data, and potential mismanagement of charging resources. Furthermore, brute-force attacks enabled by the lack of rate limiting may lead to unauthorized access, potentially allowing attackers to manipulate charger settings or access sensitive operational controls. For organizations relying on epower.ie for fleet management, public charging stations, or energy management, this can translate into service outages, reputational damage, and financial losses. The vulnerability's network accessibility and lack of required privileges increase the risk of widespread exploitation, especially in environments with exposed WebSocket endpoints. The absence of known exploits currently provides a window for proactive mitigation but also underscores the need for vigilance.

To mitigate CVE-2026-27778, organizations should implement strict rate limiting on authentication requests at the WebSocket API level to prevent excessive attempts from any single source. Deploying Web Application Firewalls (WAFs) or API gateways capable of detecting and throttling abnormal authentication traffic can provide immediate protection. Monitoring and alerting on unusual authentication patterns or spikes in WebSocket connection attempts will help identify potential attacks early. Enforcing strong authentication policies, including multi-factor authentication and robust password complexity, will reduce the risk of successful brute-force attacks. Network segmentation and restricting access to the WebSocket endpoints to trusted networks or VPNs can limit exposure. Organizations should engage with the vendor ePower for patches or updates addressing this vulnerability and apply them promptly once available. Additionally, conducting regular security assessments and penetration testing on the epower.ie deployment can help identify residual risks. Finally, maintaining up-to-date incident response plans specific to denial-of-service and authentication compromise scenarios will improve readiness.