PatchSiren cyber security CVE debrief
CVE-2026-24912 Unknown Vendor CVE debrief
CVE-2026-24912 affects ePower epower.ie and was published by CISA on 2026-03-03. The advisory describes a WebSocket backend that relies on charging-station identifiers as session identifiers, but allows multiple endpoints to connect using the same identifier. As a result, the newest connection can displace the legitimate station and receive backend commands intended for that station. The issue can enable session hijacking or shadowing, unauthorized authentication as another user, and denial of service through repeated valid session requests.
- Vendor
- Unknown Vendor
- Product
- ePower epower.ie vers:all/*
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-03
- Original CVE updated
- 2026-03-03
- Advisory published
- 2026-03-03
- Advisory updated
- 2026-03-03
Who should care
Operators and maintainers of ePower epower.ie deployments, especially environments where charging stations communicate over WebSocket backends. Security teams responsible for OT/ICS-connected charging infrastructure should treat this as a high-priority identity and availability issue.
Technical summary
According to the CISA CSAF advisory, the backend uses charging-station identifiers to uniquely associate sessions, but it does not enforce uniqueness for connected endpoints. That design makes session identifiers predictable and allows a later connection to supersede an existing one. The practical impact is session shadowing/hijacking, where backend commands intended for one station can be routed to another connection, plus potential service disruption when valid session requests are overwhelmed. CISA lists the issue with CVSS v3.1 7.3 (HIGH) and the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.
Defensive priority
High. The issue is network-reachable, requires no privileges or user interaction, and can affect confidentiality, integrity, and availability. In connected charging or OT environments, loss of session integrity can directly impact operational control and uptime.
Recommended defensive actions
- Review whether any ePower epower.ie deployment is in use and treat all versions covered by the advisory scope as potentially affected.
- Contact ePower via the vendor support page for remediation guidance and monitor for a vendor fix or coordinated update.
- Restrict access to the WebSocket backend to trusted network paths only, using segmentation and firewall controls.
- Monitor for duplicate charging-station identifiers, unexpected session replacement, or repeated valid session requests that could indicate shadowing or denial-of-service activity.
- Apply CISA ICS recommended practices and defense-in-depth guidance for segmentation, least privilege, monitoring, and incident response around OT-facing services.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-062-07 for CVE-2026-24912, published 2026-03-03 with an initial revision. The advisory text explicitly states that multiple endpoints can connect using the same session identifier, leading to predictable identifiers and session shadowing/hijacking. It also states that ePower did not respond to CISA's request for coordination. The advisory includes CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (score 7.3) and an SSVCv2 note dated 2026-03-02T06:00:00Z; that SSVC timestamp is not treated as the CVE publication date.
Official resources
-
CVE-2026-24912 CVE record
CVE.org
-
CVE-2026-24912 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-03-03 and notes that ePower did not respond to CISA's coordination request. The source corpus does not include a vendor patch or remediation release; only the vendor support contact page is provided.