Critical Security Flaws in Mobility46's EV Charging Platform Expose Infrastructure to Unauthorized Access
Executive Summary
In February 2026, multiple critical vulnerabilities were identified in Mobility46's charging station management platform, mobility46.se. These vulnerabilities include missing authentication for critical functions (CVE-2026-27028), improper restriction of excessive authentication attempts (CVE-2026-26305), insufficient session expiration (CVE-2026-27647), and insufficiently protected credentials (CVE-2026-22878). Exploitation of these flaws could allow attackers to gain unauthorized administrative control over charging stations or disrupt services through denial-of-service attacks. (cvefeed.io)
The increasing reliance on electric vehicle (EV) infrastructure underscores the importance of securing such platforms. These vulnerabilities highlight the need for robust authentication mechanisms and session management to prevent unauthorized access and ensure the integrity of critical infrastructure services.
Why This Matters Now
As the adoption of electric vehicles accelerates, the security of charging infrastructure becomes paramount. Addressing these vulnerabilities is urgent to prevent potential disruptions and unauthorized control over charging stations, which could have widespread implications for EV users and service providers.
Attack Path Analysis
An attacker exploited publicly accessible charging station identifiers to impersonate legitimate stations, gaining unauthorized access to the WebSocket API. Without proper authentication mechanisms, the attacker issued commands as a legitimate charger, escalating privileges and controlling the charging infrastructure. Utilizing predictable session identifiers, the attacker hijacked active sessions, moving laterally within the network. The attacker established a command and control channel through the compromised WebSocket connections. Sensitive data was exfiltrated by manipulating data sent to the backend. The attack resulted in unauthorized control over charging stations and disruption of charging services.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited publicly accessible charging station identifiers to impersonate legitimate stations and gain unauthorized access to the WebSocket API.
Related CVEs
CVE-2026-27028
CVSS 9.4WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend.
Affected Products:
Mobility46 mobility46.se – all
Exploit Status:
no public exploitCVE-2026-26305
CVSS 7.5The WebSocket API lacks restrictions on the number of authentication requests, allowing potential denial-of-service or brute-force attacks.
Affected Products:
Mobility46 mobility46.se – all
Exploit Status:
no public exploitCVE-2026-27647
CVSS 7.3The WebSocket backend allows multiple endpoints to connect using the same session identifier, leading to session hijacking or shadowing.
Affected Products:
Mobility46 mobility46.se – all
Exploit Status:
no public exploitCVE-2026-22878
CVSS 6.5Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Affected Products:
Mobility46 mobility46.se – all
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Valid Accounts
Brute Force
Use Alternate Authentication Material
Application Layer Protocol
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit repeated access attempts
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Electric vehicle charging infrastructure vulnerabilities enable unauthorized station control, service disruption, and grid manipulation through missing authentication and session hijacking attacks.
Automotive
EV charging network security flaws allow attackers to impersonate charging stations, disrupt vehicle charging services, and compromise electric vehicle ecosystem integrity.
Transportation
Critical charging infrastructure authentication weaknesses threaten electric transportation networks through denial-of-service attacks and unauthorized backend system manipulation capabilities.
Oil/Energy/Solar/Greentech
Energy sector charging infrastructure faces session hijacking and credential exposure risks that could destabilize electric vehicle adoption and renewable energy integration.
Sources
- Mobility46 mobility46.sehttps://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit network vulnerabilities, thereby reducing the potential impact on the charging infrastructure.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to impersonate legitimate stations and access the WebSocket API would likely have been constrained, reducing unauthorized entry points.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and control the charging infrastructure would likely have been constrained, reducing unauthorized command execution.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely have been constrained, reducing unauthorized access to other systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely have been constrained, reducing unauthorized communication.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely have been constrained, reducing data loss.
The attacker's ability to disrupt charging services would likely have been constrained, reducing service downtime.
Impact at a Glance
Affected Business Functions
- Charging Station Operations
- Customer Billing
- Energy Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of customer billing information and operational data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strong authentication mechanisms on all WebSocket endpoints to prevent unauthorized access.
- • Enforce unique session identifiers and limit session associations to a single endpoint to prevent session hijacking.
- • Apply rate limiting on authentication requests to mitigate brute-force attacks and potential denial-of-service conditions.
- • Restrict public access to charging station authentication identifiers to prevent unauthorized impersonation.
- • Deploy Zero Trust Segmentation to enforce least privilege access and contain potential lateral movement within the network.
