PatchSiren cyber security CVE debrief
CVE-2026-27647 Mobility46 CVE debrief
CVE-2026-27647 affects a Mobility46 WebSocket backend that relies on charging station identifiers to associate sessions. Because multiple endpoints can connect using the same session identifier, a newer connection can displace the legitimate station and receive backend commands intended for it. CISA describes the result as session hijacking or shadowing, with potential unauthorized authentication and denial-of-service through valid session flooding.
- Vendor
- Mobility46
- Product
- Unknown
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Operators, integrators, and administrators responsible for Mobility46 deployments; teams securing charging infrastructure or other WebSocket-backed control systems; SOC and incident responders monitoring authenticated session handling and backend command routing.
Technical summary
The advisory states that the backend uses charging-station identifiers as session identifiers, but does not enforce uniqueness. That makes session identifiers predictable and allows more than one endpoint to attach to the same session. The most recent connection can shadow the legitimate station and inherit commands meant for that station. CISA maps the issue to CVSS v3.1 7.3 (HIGH) with network attack vector, low complexity, and no privileges required, and the source notes loss of confidentiality, integrity, and availability at a low level.
Defensive priority
High. This is a network-reachable session management weakness with no authentication required and direct impact to command routing and service availability, so affected deployments should be prioritized for validation and isolation until vendor guidance or a fix is confirmed.
Recommended defensive actions
- Identify whether any deployed Mobility46 or mobility46.se components match the affected product scope listed in the advisory.
- Review WebSocket session management to ensure session identifiers are unique, unpredictable, and bound to a single authenticated endpoint.
- Monitor for duplicate or rapidly replaced charging-station sessions, especially where a new connection causes the old one to be displaced.
- Limit exposure of the WebSocket backend to trusted networks and apply segmentation and access controls where feasible.
- Use CISA ICS recommended practices and defense-in-depth guidance from the referenced materials to reduce blast radius while remediation is pending.
- Coordinate with the vendor or product owner using the advisory guidance if your deployment is affected.
Evidence notes
The debrief is based on CISA CSAF advisory ICSA-26-057-08, published 2026-02-26, which names the product as Mobility46 / mobility46.se and describes predictable, non-unique charging-station session identifiers leading to hijacking/shadowing and potential denial of service. The advisory’s remediation section states that Mobility46 did not respond to CISA’s coordination request. The supplied SSVC note is dated 2026-02-25, but the CVE and advisory publication date used here is 2026-02-26.
Official resources
-
CVE-2026-27647 CVE record
CVE.org
-
CVE-2026-27647 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in advisory ICSA-26-057-08 on 2026-02-26. The source states that Mobility46 did not respond to CISA’s coordination request.