PatchSiren cyber security CVE debrief
CVE-2026-25114 CloudCharge CVE debrief
CVE-2026-25114 affects CloudCharge cloudcharge.se. According to CISA’s advisory, the WebSocket Application Programming Interface does not restrict authentication request volume, which can let an attacker disrupt charger telemetry or attempt brute-force access. The issue is network-reachable and scored CVSS 3.1 7.5 HIGH.
- Vendor
- CloudCharge
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Operators and administrators of CloudCharge deployments, OT/charging-infrastructure defenders, SOC analysts, and incident responders responsible for WebSocket-exposed telemetry or authentication services.
Technical summary
The reported weakness is missing rate limiting on authentication requests to a WebSocket API. CISA states this can be abused to suppress or mis-route legitimate charger telemetry, creating denial-of-service conditions, and may also support brute-force attempts to gain unauthorized access. The advisory does not provide exploit steps, and no additional technical detail is supplied in the source beyond the authentication-request volume issue.
Defensive priority
High priority for any exposed or operationally critical deployment, especially if the WebSocket service is reachable from untrusted networks or supports production charger telemetry. The primary impact described is availability, with a secondary risk of unauthorized access through brute-force attempts.
Recommended defensive actions
- Restrict network access to the WebSocket service to trusted hosts and management networks only.
- Implement server-side rate limiting, backoff, throttling, and account-lockout controls for authentication attempts.
- Monitor for abnormal authentication request bursts, repeated failures, telemetry suppression, and routing anomalies.
- Segment charger telemetry paths so a single WebSocket endpoint cannot easily disrupt broader operations.
- Use strong authentication and rotate credentials or secrets if brute-force exposure is suspected.
- Follow CISA ICS defense-in-depth and recommended-practices guidance while coordinating directly with CloudCharge using the contact information in the advisory.
Evidence notes
This debrief is based on CISA CSAF advisory ICSA-26-057-03, published 2026-02-26, which states that the WebSocket Application Programming Interface lacks restrictions on authentication requests. The advisory explicitly links the condition to denial-of-service risk against charger telemetry and to brute-force attempts for unauthorized access. CISA also notes that CloudCharge did not respond to its coordination request.
Official resources
-
CVE-2026-25114 CVE record
CVE.org
-
CVE-2026-25114 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26. The source advisory states that CloudCharge did not respond to CISA’s coordination request. This debrief does not assert any unverified vendor details beyond the supplied advisory metadata.