PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42952 Hydro-Québec CVE debrief

A high-severity vulnerability, CVE-2026-42952, was found in an unknown vendor's charging station backend. The issue allows an attacker to execute a denial-of-service attack due to a lack of throttling on repeated authentication attempts. The CVE record was published on 2026-07-10T23:16:48.203Z and has not been modified since then. This vulnerability is categorized under CWE-307 and has a CVSS score of 8.7, indicating a high severity level. Organizations should be aware of the potential impact and take necessary actions to mitigate this vulnerability.

Vendor
Hydro-Québec
Product
Le Circuit Electrique charging station backend
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Organizations using charging stations from unknown vendors should prioritize patching this vulnerability to prevent potential denial-of-service attacks. This vulnerability can impact operators of charging stations, platform administrators, vulnerability management teams, and security teams. It is essential to assess the affected scope and severity to determine the necessary actions.

Technical summary

CVE-2026-42952 is a high-severity vulnerability with a CVSS score of 8.7. The vulnerability exists due to the lack of throttling on repeated authentication attempts to the charging station backend, allowing an attacker to execute a denial-of-service attack. The vulnerability is categorized under CWE-307. The affected product or component is the charging station backend, and the likely operational impact is a denial-of-service attack. The source confidence is limited due to the unknown vendor.

Defensive priority

High

Recommended defensive actions

  • Inventory and assess charging station backend systems for potential exposure
  • Apply patches or updates from the vendor, if available
  • Implement compensating controls, such as rate limiting or IP blocking, to mitigate the vulnerability
  • Monitor for suspicious authentication attempts and implement additional security measures as needed
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record was published on 2026-07-10T23:16:48.203Z and has not been modified since then. The NVD entry is currently Received. The vulnerability is attributed to an unknown vendor, and further information is limited. Evidence is based on CVE and NVD data, which may be subject to change as more information becomes available. Defenders should verify the current status and affected products with the vendor or through official advisories.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T23:16:48.203Z and has not been modified since then.