{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mobility46/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["mobility46","charging-station","vulnerability","ics"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMobility46 charging stations are affected by multiple vulnerabilities that could allow attackers to gain unauthorized administrative control or disrupt charging services. These vulnerabilities, identified in all versions of mobility46.se, include missing authentication for critical functions (CVE-2026-27028), improper restriction of excessive authentication attempts (CVE-2026-26305), insufficient session expiration (CVE-2026-27647), and insufficiently protected credentials (CVE-2026-22878). Exploitation could lead to privilege escalation, unauthorized control of charging infrastructure, corruption of charging network data, and denial-of-service conditions. Mobility46 did not respond to CISA\u0026rsquo;s request for coordination. These charging stations are deployed worldwide across the energy and transportation sectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Mobility46 charging station\u0026rsquo;s identifier via publicly accessible web-based mapping platforms due to insufficient credential protection (CVE-2026-22878).\u003c/li\u003e\n\u003cli\u003eAttacker connects to the charging station\u0026rsquo;s OCPP WebSocket endpoint using the discovered charging station identifier, exploiting the lack of authentication mechanisms (CVE-2026-27028).\u003c/li\u003e\n\u003cli\u003eAttacker issues unauthorized OCPP commands to the charging station, impersonating a legitimate charger due to missing authentication for critical functions (CVE-2026-27028).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker overwhelms the WebSocket API with authentication requests, exploiting the lack of rate limiting and causing a denial-of-service condition (CVE-2026-26305).\u003c/li\u003e\n\u003cli\u003eAttacker hijacks or shadows a legitimate charging station session by establishing a new connection using the same session identifier, as multiple endpoints are allowed per session (CVE-2026-27647).\u003c/li\u003e\n\u003cli\u003eThe attacker receives backend commands intended for the legitimate charging station, gaining unauthorized control (CVE-2026-27647).\u003c/li\u003e\n\u003cli\u003eAttacker manipulates charging parameters, disrupts charging services, or corrupts charging network data reported to the backend.\u003c/li\u003e\n\u003cli\u003eThe final objective is to gain unauthorized control of charging infrastructure and disrupt charging services or cause financial and reputational damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations, leading to manipulation of charging parameters and disruption of services. Organizations in the energy and transportation sectors are affected worldwide. The lack of authentication and session management could allow attackers to cause denial-of-service conditions, potentially affecting numerous charging stations simultaneously. This could lead to significant financial losses, reputational damage, and disruption of critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections for unusual WebSocket traffic patterns originating from or directed towards the domain mobility46.se to detect potential exploitation attempts (IOC: mobility46.se).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated WebSocket Connection to Mobility46 Charging Station\u0026rdquo; to identify connections lacking proper authentication. Enable network connection logging for WebSocket traffic (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eApply rate limiting measures to the WebSocket API endpoints to mitigate potential denial-of-service attacks resulting from excessive authentication attempts as described in CVE-2026-26305.\u003c/li\u003e\n\u003cli\u003eImplement robust authentication mechanisms for all WebSocket endpoints to prevent unauthorized station impersonation and data manipulation, addressing CVE-2026-27028.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate the exposure of charging station authentication identifiers on web-based mapping platforms to prevent unauthorized access, addressing CVE-2026-22878.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-27T12:00:00Z","date_published":"2026-02-27T12:00:00Z","id":"/briefs/2026-02-mobility46-vulns/","summary":"Multiple vulnerabilities in Mobility46 charging stations allow attackers to gain unauthorized administrative control or disrupt charging services through missing authentication, improper authentication restrictions, insufficient session expiration, and exposed credentials.","title":"Mobility46 Charging Station Vulnerabilities Allow Unauthorized Control and Disruption","url":"https://feed.craftedsignal.io/briefs/2026-02-mobility46-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Mobility46","version":"https://jsonfeed.org/version/1.1"}