PatchSiren cyber security CVE debrief
CVE-2026-20882 Unknown Vendor CVE debrief
CVE-2026-20882 affects Mobiliti e-mobi.hu vers:all/* and is described by CISA as a WebSocket API issue with no restriction on the number of authentication requests. In practice, that creates two defensive concerns: an attacker may flood the authentication path to suppress or mis-route legitimate charger telemetry, or may repeatedly attempt logins to increase brute-force pressure against exposed access controls. CISA published the advisory on 2026-03-03 and rates the issue 7.5 HIGH.
- Vendor
- Unknown Vendor
- Product
- Mobiliti e-mobi.hu vers:all/*
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-03
- Original CVE updated
- 2026-03-03
- Advisory published
- 2026-03-03
- Advisory updated
- 2026-03-03
Who should care
Operators and defenders responsible for Mobiliti e-mobi.hu deployments, especially teams managing charger telemetry, WebSocket-facing services, authentication controls, and OT/ICS network boundaries.
Technical summary
The advisory states that the WebSocket Application Programming Interface lacks rate limiting on authentication requests. The affected scope is listed as Mobiliti e-mobi.hu vers:all/*, with CVSS v3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The reported impact is availability-focused, with a stated risk of denial-of-service against charger telemetry and brute-force attempts against authentication.
Defensive priority
High priority. Exposed WebSocket authentication endpoints should be throttled, access-restricted, and monitored quickly because the attack path is network-reachable, requires no privileges, and can directly affect service availability and telemetry integrity.
Recommended defensive actions
- Add strict rate limiting and exponential backoff to WebSocket authentication requests.
- Require network-level access controls for the WebSocket service, such as VPN, allowlisting, or segmented management networks.
- Monitor authentication failures, request bursts, and gaps in charger telemetry for signs of abuse or service degradation.
- Review whether stronger authentication controls, lockout thresholds, or secondary verification can be added without breaking operations.
- Apply CISA ICS recommended practices and defense-in-depth guidance to the affected deployment.
Evidence notes
The supplied CISA CSAF advisory (ICSA-26-062-06) and CVE record identify the issue as insufficient restrictions on WebSocket authentication requests, with stated effects of denial-of-service and brute-force attempts. The advisory assigns CVSS v3.1 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The source metadata also includes a SSVCv2 note of E:N/A:Y. The vendor attribution in the provided metadata is low-confidence and marked for review; the advisory itself names the product as Mobiliti e-mobi.hu vers:all/*.
Official resources
-
CVE-2026-20882 CVE record
CVE.org
-
CVE-2026-20882 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-062-06 on 2026-03-03, and the supplied advisory metadata notes that Mobiliti did not respond to CISA's request for coordination. The supplied enrichment does not list the issue in KEV.