---
title: "Critical Flaws in Mobiliti e-mobi.hu Charging Stations Expose Global Energy Infrastructure"
short_title: "Critical vulnerabilities in Mobiliti e-mobi.hu charging stations"
description: "Four critical vulnerabilities in Mobiliti e-mobi.hu charging stations enable attackers to gain admin control, disrupt services, and exploit energy infrastructure. Patch now."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [ev-charging, cve-2026, cybersecurity, energy-sector, vulnerability]
score: 0.92
cve_ids: [CVE-2026-26051, CVE-2026-20882, CVE-2026-27764, CVE-2026-27777]
---
TL;DR
Four critical vulnerabilities in Mobiliti e-mobi.hu electric vehicle (EV) charging stations could allow attackers to gain unauthorized administrative control, disrupt charging services, or launch denial-of-service (DoS) attacks. These flaws affect all versions of the software and pose a significant risk to global energy and transportation infrastructure. Mobiliti has not responded to coordination efforts, leaving users to seek mitigation guidance independently.
---
Main Content
Introduction
The rapid expansion of electric vehicle (EV) charging infrastructure has introduced new cybersecurity challenges, particularly as these systems become integral to critical energy and transportation sectors. A recent discovery of four critical vulnerabilities in Mobiliti e-mobi.hu charging stations highlights the urgent need for robust security measures. If exploited, these flaws could enable attackers to hijack charging stations, manipulate data, or disrupt services, with potentially far-reaching consequences for global energy grids.
---
Key Points
- Four critical vulnerabilities (CVE-2026-26051, CVE-2026-20882, CVE-2026-27764, CVE-2026-27777) affect all versions of Mobiliti e-mobi.hu charging stations.
- Exploitation could lead to unauthorized administrative control, denial-of-service (DoS) attacks, or session hijacking.
- No authentication mechanisms for WebSocket endpoints enable attackers to impersonate charging stations and manipulate backend data.
- Publicly accessible authentication identifiers further exacerbate the risk of exploitation.
- Mobiliti has not responded to coordination requests, leaving users to implement mitigations independently.
---
Technical Details
#### Vulnerability Breakdown
The vulnerabilities in Mobiliti e-mobi.hu charging stations stem from poor authentication practices, insufficient session management, and exposed credentials. Below is a detailed breakdown of each flaw:
1. CVE-2026-26051 (CVSS 9.4 - Critical)
- Missing Authentication for Critical Function: WebSocket endpoints lack proper authentication, allowing attackers to connect to the OCPP (Open Charge Point Protocol) WebSocket endpoint using a known or discovered charging station identifier. This enables unauthorized issuance or reception of OCPP commands, leading to privilege escalation, unauthorized control, and data corruption.
- Relevant CWE: [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html).
2. CVE-2026-20882 (CVSS 7.5 - High)
- Improper Restriction of Excessive Authentication Attempts: The WebSocket API lacks rate-limiting mechanisms, allowing attackers to conduct brute-force attacks or denial-of-service (DoS) attacks by overwhelming the system with authentication requests.
- Relevant CWE: [CWE-307: Improper Restriction of Excessive Authentication Attempts](https://cwe.mitre.org/data/definitions/307.html).
3. CVE-2026-27764 (CVSS 7.3 - High)
- Insufficient Session Expiration: The backend uses charging station identifiers to associate sessions but allows multiple endpoints to connect using the same identifier. This results in predictable session identifiers, enabling session hijacking or shadowing, where the most recent connection displaces the legitimate station.
- Relevant CWE: [CWE-613: Insufficient Session Expiration](https://cwe.mitre.org/data/definitions/613.html).
4. CVE-2026-27777 (CVSS 6.5 - Medium)
- Insufficiently Protected Credentials: Charging station authentication identifiers are publicly accessible via web-based mapping platforms, increasing the risk of unauthorized access.
- Relevant CWE: [CWE-522: Insufficiently Protected Credentials](https://cwe.mitre.org/data/definitions/522.html).
---
Impact Assessment
The vulnerabilities in Mobiliti e-mobi.hu charging stations pose a severe risk to critical infrastructure sectors, including energy and transportation systems. Successful exploitation could result in:
- Unauthorized Administrative Control: Attackers could gain full control over charging stations, enabling them to manipulate charging processes, steal data, or disrupt services.
- Denial-of-Service (DoS) Attacks: Exploitation of these flaws could lead to widespread service disruptions, affecting EV users and energy grid stability.
- Data Corruption: Attackers could alter or corrupt charging network data, leading to financial losses or operational inefficiencies.
- Session Hijacking: Predictable session identifiers could allow attackers to impersonate legitimate charging stations, intercept commands, or launch further attacks.
Given the global deployment of these systems, the potential for large-scale disruption is significant, particularly as EV adoption continues to rise.
---
Mitigation Steps
Mobiliti has not responded to coordination efforts by CISA, leaving users to implement mitigations independently. Recommended defensive measures include:
1. Network Segmentation:
- Minimize network exposure for all control system devices and ensure they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolate them from business networks.
2. Secure Remote Access:
- When remote access is required, use secure methods such as Virtual Private Networks (VPNs). Ensure VPNs are updated to the latest version and recognize that VPN security is only as strong as the connected devices.
3. Monitoring and Detection:
- Implement intrusion detection systems (IDS) to monitor for suspicious activity.
- Regularly audit logs for unauthorized access attempts or anomalous behavior.
4. Vendor Communication:
- Contact Mobiliti directly via their [support page](https://www.mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat) for updates or patches.
5. Impact Analysis:
- Perform a thorough impact analysis and risk assessment before deploying any defensive measures to avoid unintended consequences.
For additional guidance, refer to CISA’s [recommended practices for control systems security](https://www.cisa.gov/ics) and their [technical information paper on targeted cyber intrusion detection](https://www.cisa.gov/resources-tools/resources/ics-tip-12-146-01b-targeted-cyber-intrusion-detection-and-mitigation-strategies).
---
Affected Systems
- Vendor: Mobiliti
- Product: Mobiliti e-mobi.hu (all versions)
- Sectors Impacted: Energy, Transportation Systems
- Deployment: Worldwide
---
Conclusion
The discovery of four critical vulnerabilities in Mobiliti e-mobi.hu charging stations underscores the growing cybersecurity risks associated with the rapid expansion of EV infrastructure. These flaws, if exploited, could have devastating consequences for global energy and transportation systems. Given Mobiliti’s lack of response, organizations must take proactive steps to secure their systems, including network segmentation, secure remote access, and continuous monitoring.
As the EV market continues to grow, cybersecurity must be prioritized to prevent potential attacks that could disrupt critical infrastructure. Organizations are urged to stay vigilant, implement recommended mitigations, and report any suspicious activity to CISA for further investigation.
---
References
[^1]: CISA. "[ICSA-26-062-06 Mobiliti e-mobi.hu](https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-06)". Retrieved 2024-10-02.
[^2]: MITRE. "[CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)". Retrieved 2024-10-02.
[^3]: MITRE. "[CWE-307: Improper Restriction of Excessive Authentication Attempts](https://cwe.mitre.org/data/definitions/307.html)". Retrieved 2024-10-02.
[^4]: MITRE. "[CWE-613: Insufficient Session Expiration](https://cwe.mitre.org/data/definitions/613.html)". Retrieved 2024-10-02.
[^5]: MITRE. "[CWE-522: Insufficiently Protected Credentials](https://cwe.mitre.org/data/definitions/522.html)". Retrieved 2024-10-02.