CVE-2026-32663 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) found in the WebSocket backend of IGL-Technologies' eParking.fi product. The system uses charging station identifiers as session identifiers to uniquely associate WebSocket sessions. However, the implementation allows multiple endpoints to connect using the same session identifier, which are predictable and not properly invalidated or expired. This design flaw permits an attacker to perform session hijacking or session shadowing attacks by establishing a new connection with the same session ID, thereby displacing the legitimate charging station's connection. As a result, the attacker can receive backend commands intended for the legitimate station, effectively impersonating it. Additionally, the vulnerability can be exploited to cause denial-of-service by overwhelming the backend with numerous valid session requests, exhausting resources. The CVSS 3.1 base score is 7.3, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability. The vulnerability affects all versions of eParking.fi and no patches are currently available. No known exploits have been reported in the wild, but the predictable session identifiers and lack of session management controls present a significant risk.

This vulnerability can have severe consequences for organizations deploying eParking.fi, especially those managing electric vehicle charging infrastructure. Successful exploitation allows attackers to impersonate legitimate charging stations, potentially manipulating charging operations, disrupting billing, or causing operational confusion. The ability to hijack sessions compromises confidentiality and integrity of communications between charging stations and backend systems. Moreover, denial-of-service attacks can disrupt service availability, impacting user experience and operational continuity. For critical infrastructure operators or municipalities relying on eParking.fi, this could lead to service outages, financial losses, and reputational damage. The remote, unauthenticated nature of the exploit increases the attack surface, making widespread exploitation feasible if not mitigated promptly.

Until an official patch is released, organizations should implement network segmentation and firewall rules to restrict access to the WebSocket backend to trusted IP addresses and known charging stations. Employing Web Application Firewalls (WAFs) with custom rules to detect and block multiple simultaneous connections using the same session identifier can help mitigate session shadowing attempts. Monitoring WebSocket connection patterns for anomalies such as rapid reconnections or multiple connections from a single session ID is recommended. Additionally, organizations should work with IGL-Technologies to obtain patches or updates that enforce unique, unpredictable session identifiers and proper session expiration. Implementing mutual authentication between charging stations and backend systems can further reduce risk. Finally, conducting regular security assessments and incident response planning for this vulnerability is advised.