---
title: "Critical Vulnerabilities in Mobility46 Charging Stations Expose Global Energy Infrastructure"
short_title: "Mobility46 charging station flaws threaten energy security…"
description: "Four critical vulnerabilities in Mobility46 charging stations enable unauthorized control, DoS attacks, and data manipulation. Learn mitigation steps now."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [ev-charging, cve-2026-27028, cybersecurity, energy-sector, vulnerability-management]
score: 0.87
cve_ids: [CVE-2026-27028, CVE-2026-26305, CVE-2026-27647, CVE-2026-22878]
---
TL;DR
Four critical vulnerabilities in Mobility46’s EV charging stations (CVE-2026-27028, CVE-2026-26305, CVE-2026-27647, CVE-2026-22878) could allow attackers to seize administrative control, disrupt services, or manipulate charging data. Affecting global energy and transportation sectors, these flaws highlight urgent risks to critical infrastructure. No patches are available yet, but mitigation steps can reduce exposure.
---
Main Content
Introduction
The rapid expansion of electric vehicle (EV) infrastructure has introduced new cybersecurity challenges, particularly for charging station networks. Mobility46, a Sweden-based provider of EV charging solutions, has been identified as vulnerable to four critical security flaws in its mobility46.se platform. These vulnerabilities could enable attackers to hijack charging stations, disrupt services, or manipulate backend data, posing significant risks to the energy and transportation sectors worldwide. With no vendor response to coordination requests, organizations must act swiftly to mitigate potential threats.
---
Key Points
- Unauthenticated access: WebSocket endpoints lack proper authentication, allowing attackers to impersonate charging stations and send malicious commands (CVE-2026-27028).
- Brute-force and DoS risks: The absence of rate limiting on authentication requests enables denial-of-service (DoS) attacks and brute-force attempts (CVE-2026-26305).
- Session hijacking: Predictable session identifiers permit attackers to displace legitimate connections and intercept backend commands (CVE-2026-27647).
- Exposed credentials: Charging station identifiers are publicly accessible via web-based mapping platforms, increasing the risk of exploitation (CVE-2026-22878).
- Global impact: Deployed across energy and transportation systems, these vulnerabilities threaten critical infrastructure in multiple countries.
---
Technical Details
#### 1. Missing Authentication for Critical Functions (CVE-2026-27028)
- CVSS Score: 9.4 (Critical)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L`
- Description: Mobility46’s WebSocket endpoints do not require authentication, allowing unauthenticated attackers to connect using a known or discovered charging station identifier. Once connected, attackers can issue or intercept OCPP (Open Charge Point Protocol) commands, leading to:
- Unauthorized control of charging infrastructure.
- Privilege escalation and manipulation of backend data.
- Corruption of telemetry and billing systems.
#### 2. Improper Restriction of Excessive Authentication Attempts (CVE-2026-26305)
- CVSS Score: 7.5 (High)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
- Description: The WebSocket API lacks rate limiting on authentication requests, enabling attackers to:
- Launch brute-force attacks to guess credentials.
- Conduct DoS attacks by overwhelming the system with authentication requests, suppressing or misrouting legitimate telemetry.
#### 3. Insufficient Session Expiration (CVE-2026-27647)
- CVSS Score: 7.3 (High)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L`
- Description: The backend uses charging station identifiers to associate sessions but allows multiple connections with the same identifier. This flaw results in:
- Predictable session identifiers, enabling session hijacking or "shadowing."
- Denial-of-service conditions if attackers flood the backend with valid session requests.
- Unauthorized authentication as legitimate users.
#### 4. Insufficiently Protected Credentials (CVE-2026-22878)
- CVSS Score: 6.5 (Medium)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`
- Description: Charging station authentication identifiers are exposed on public web-based mapping platforms, allowing attackers to:
- Identify vulnerable targets for exploitation.
- Combine with other vulnerabilities to escalate attacks.
---
Impact Assessment
The vulnerabilities in Mobility46’s charging stations pose severe risks to critical infrastructure, including:
#### Energy Sector
- Disruption of charging services: DoS attacks could render charging stations inoperable, impacting EV fleets and public transportation.
- Data manipulation: Attackers could alter billing information, energy consumption data, or backend reporting, leading to financial losses or operational chaos.
#### Transportation Systems
- Unauthorized control: Hijacked charging stations could be used to disable or overload power grids, affecting transportation networks reliant on EVs.
- Safety risks: Manipulated charging sessions could cause electrical fires or damage vehicles.
#### Global Reach
- Deployed worldwide, these vulnerabilities expose organizations in Europe, North America, and Asia to potential attacks.
- The lack of vendor coordination exacerbates the risk, as no official patches are available.
---
Mitigation Steps
While Mobility46 has not responded to CISA’s coordination requests, organizations can adopt the following defensive measures to minimize risks:
1. Network Segmentation
- Isolate charging station networks from business systems using firewalls.
- Ensure charging stations are not accessible via the internet.
2. Secure Remote Access
- Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
- Implement multi-factor authentication (MFA) for all remote connections.
3. Monitoring and Detection
- Deploy intrusion detection systems (IDS) to monitor for unusual activity, such as repeated authentication attempts or unauthorized WebSocket connections.
- Log and review all access to charging station APIs and backend systems.
4. Session Management
- Enforce strict session expiration policies to prevent hijacking.
- Use unique, unpredictable session identifiers for each connection.
5. Vendor Coordination
- Contact Mobility46 via their [contact page](https://www.mobility46.se/en/contact-us) to inquire about patches or workarounds.
- Stay informed about updates from CISA and other cybersecurity advisories.
6. Public Exposure Reduction
- Remove or obfuscate charging station identifiers from public mapping platforms to reduce the risk of targeted attacks.
---
Affected Systems
- Vendor: Mobility46
- Product: Mobility46 mobility46.se (all versions)
- Critical Infrastructure Sectors: Energy, Transportation Systems
- Deployment: Worldwide
- Headquarters: Sweden
---
Conclusion
The discovery of these four critical vulnerabilities in Mobility46’s EV charging stations underscores the growing cybersecurity risks in the energy and transportation sectors. With no patches currently available, organizations must act proactively to mitigate potential threats through network segmentation, secure remote access, and vigilant monitoring. The global deployment of these systems amplifies the urgency, as attackers could exploit these flaws to disrupt services, manipulate data, or gain unauthorized control.
As the EV infrastructure continues to expand, vendors and organizations must prioritize cybersecurity best practices to safeguard critical infrastructure from evolving threats. Stay updated with advisories from CISA and other cybersecurity authorities to ensure timely responses to emerging risks.
---
References
[^1]: CISA. "[ICSA-26-057-08 Mobility46 mobility46.se](https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08)". Retrieved 2024-10-02.
[^2]: NIST. "[CVE-2026-27028 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-27028)". Retrieved 2024-10-02.
[^3]: MITRE. "[CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)". Retrieved 2024-10-02.
[^4]: Mobility46. "[Contact Us](https://www.mobility46.se/en/contact-us)". Retrieved 2024-10-02.