CVE-2026-32663 is a vulnerability classified under CWE-613, affecting the eParking.fi product by IGL-Technologies. The core issue lies in the WebSocket backend's session management mechanism, which uses charging station identifiers as session identifiers. These identifiers are predictable and allow multiple endpoints to connect simultaneously using the same session ID. This design flaw enables session hijacking or session shadowing attacks, where a malicious actor can connect using a legitimate session ID and displace the original charging station connection. Consequently, the attacker can intercept or manipulate backend commands intended for the legitimate station, compromising confidentiality and integrity. Additionally, an attacker can exploit this behavior to launch denial-of-service (DoS) attacks by flooding the backend with numerous valid session requests, overwhelming system resources and disrupting service availability. The vulnerability requires no privileges or user interaction to exploit, making it remotely exploitable over the network. The CVSS v3.1 base score is 7.3 (high), reflecting the ease of exploitation and the impact on confidentiality, integrity, and availability. No patches or mitigations have been officially released at the time of publication, and no known exploits have been observed in the wild. However, the vulnerability poses a significant risk to organizations relying on eParking.fi for managing electric vehicle charging stations, especially those with critical infrastructure dependencies.

The vulnerability can lead to unauthorized access to charging station sessions, allowing attackers to impersonate legitimate devices and intercept or manipulate commands. This compromises the confidentiality and integrity of communications between charging stations and backend systems. The session shadowing attack can disrupt normal operations by displacing legitimate connections, potentially causing operational failures or incorrect billing. Furthermore, the ability to overwhelm the backend with valid session requests can result in denial-of-service conditions, affecting availability and potentially causing widespread service outages. For organizations managing large fleets of electric vehicle charging stations, this could translate into significant operational disruptions, financial losses, and reputational damage. The lack of authentication and user interaction requirements lowers the barrier to exploitation, increasing the likelihood of attacks. Critical infrastructure providers and smart city deployments using eParking.fi are particularly vulnerable, as disruption could impact public services and EV users at scale.

Until an official patch is released, organizations should implement network-level controls such as Web Application Firewalls (WAFs) to detect and block anomalous WebSocket session behaviors, including multiple connections using the same session ID. Rate limiting and connection throttling can help mitigate denial-of-service attempts by limiting the number of simultaneous session requests from a single source. Monitoring and logging WebSocket session activity for unusual patterns can provide early detection of exploitation attempts. Segmentation of the charging station network from other critical infrastructure reduces the blast radius of potential attacks. Implementing additional authentication or token-based session validation mechanisms at the application layer can help prevent unauthorized session reuse. Organizations should engage with IGL-Technologies for updates and patches and plan for timely deployment once available. Conducting security assessments and penetration testing focused on WebSocket session management is recommended to identify and remediate related weaknesses.