PatchSiren cyber security CVE debrief
CVE-2026-25945 Unknown Vendor CVE debrief
CVE-2026-25945 is a high-severity network-facing weakness in EV2GO ev2go.io’s WebSocket Application Programming Interface. According to CISA’s advisory published on 2026-02-26, the interface does not restrict the number of authentication requests. That can let an attacker repeatedly attempt authentication to disrupt charger telemetry, mis-route or suppress legitimate messages, or support brute-force access attempts.
- Vendor
- Unknown Vendor
- Product
- EV2GO ev2go.io vers:all/*
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
EV2GO customers and operators, EV charging infrastructure administrators, OT/ICS security teams, and SOC analysts monitoring charger telemetry or WebSocket traffic should prioritize this issue. Network defenders responsible for access control around EV2GO deployments should also review exposure.
Technical summary
The advisory describes an authentication-request rate limiting failure on the WebSocket API. With network access and no privilege required, an attacker may generate repeated auth requests against the service. CISA maps the impact primarily to availability (CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H; score 7.5). The stated outcomes are suppression or mis-routing of legitimate charger telemetry, denial of service, and brute-force attempts to gain unauthorized access. The source also includes SSVCv2 context of E:N/A:Y with timestamp 2026-02-25T07:00:00Z.
Defensive priority
High. The flaw is remotely reachable, requires no authentication, and can directly affect availability of charging telemetry and operational visibility.
Recommended defensive actions
- Restrict network access to the EV2GO WebSocket API to trusted management and device networks only.
- Implement or enable authentication-request throttling, lockout, or other rate-limiting controls where available.
- Monitor for bursts of failed authentication attempts, abnormal WebSocket connection patterns, and telemetry suppression or routing anomalies.
- Review charger-to-backend segmentation and ensure industrial network protections follow CISA ICS recommended practices.
- Track the CISA advisory and vendor contact page for updates, mitigation guidance, or a future fix.
- Validate whether EV2GO ev2go.io is present in your environment and prioritize affected deployments for review.
Evidence notes
This debrief is based on CISA’s CSAF advisory ICSA-26-057-04 and the supplied advisory metadata. The source states that the WebSocket API lacks restrictions on authentication requests and that this may enable denial-of-service and brute-force attacks. The provided enrichment indicates no known KEV listing. Vendor coordination is limited in the source: CISA notes EV2GO did not respond to its request for coordination. Vendor identity confidence in the prompt is low, so the product naming here follows the advisory metadata rather than independent validation.
Official resources
-
CVE-2026-25945 CVE record
CVE.org
-
CVE-2026-25945 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and CVE record on 2026-02-26. The supplied source does not indicate known exploitation in the wild, and the enrichment marks the issue as not KEV-listed. CISA also states EV2GO did not respond to coordination.