PatchSiren cyber security CVE debrief
CVE-2026-31903 IGL-Technologies CVE debrief
CVE-2026-31903 affects IGL-Technologies eParking.fi and is described by CISA as a lack of restrictions on the number of WebSocket authentication requests. In practical terms, that missing rate limiting can let a remote attacker flood authentication attempts, potentially disrupting charger telemetry or increasing the chance of brute-force access. CISA’s advisory also states that IGL-Technologies updated eParking’s OCPP servers with stronger authentication, device whitelisting, rate limiting, and enhanced monitoring.
- Vendor
- IGL-Technologies
- Product
- eParking.fi
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-19
- Original CVE updated
- 2026-03-19
- Advisory published
- 2026-03-19
- Advisory updated
- 2026-03-19
Who should care
Operators and administrators of IGL-Technologies eParking.fi, especially teams managing OCPP server deployments, charger telemetry, authentication controls, and monitoring for connected charging infrastructure.
Technical summary
The advisory describes a network-reachable WebSocket application interface that does not limit authentication requests. CISA says this can enable denial-of-service conditions by suppressing or mis-routing legitimate charger telemetry, and can also support brute-force attempts to gain unauthorized access. The supplied mitigation notes indicate that updated OCPP servers now enforce stronger security profiles, device-level whitelisting, rate limiting, and automated monitoring; CISA also notes that encrypted eParking OCPP deployments and IGL-Technologies’ eTolppa protocol are not impacted.
Defensive priority
High
Recommended defensive actions
- Apply the vendor-updated eParking OCPP server protections referenced in the advisory.
- Enforce strong authentication and modern security profiles for any exposed WebSocket authentication path.
- Add rate limiting or throttling for authentication requests to reduce brute-force and DoS risk.
- Restrict connections to known charging units using device-level whitelisting.
- Monitor for abnormal network and authentication activity and alert on spikes or repeated failures.
- Confirm whether your deployment uses the impacted eParking OCPP server path or one of the stated non-impacted encrypted/eTolppa deployments.
- Contact IGL-Technologies security at [email protected] if you need clarification on exposure or remediation.
Evidence notes
All substantive claims in this debrief are taken from the supplied CISA CSAF advisory for ICSA-26-078-07 / CVE-2026-31903 and its listed remediation notes. The source states that the WebSocket API lacks authentication request limits and that the resulting risks are denial of service via telemetry disruption and brute-force access attempts. Timing context uses the supplied advisory/CVE publication date of 2026-03-19; no earlier public issue date is asserted here.
Official resources
-
CVE-2026-31903 CVE record
CVE.org
-
CVE-2026-31903 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA publicly published the advisory and CVE record on 2026-03-19 as initial publication of ICSA-26-078-07 / CVE-2026-31903.