PatchSiren cyber security CVE debrief
CVE-2026-27764 Unknown Vendor CVE debrief
CVE-2026-27764, published by CISA on 2026-03-03, describes a WebSocket session-management flaw in Mobiliti e-mobi.hu where charging station identifiers are used as session identifiers. Because multiple endpoints can connect with the same identifier, a newer connection can displace the legitimate station, receive commands intended for it, and potentially enable unauthorized access or denial of service.
- Vendor
- Unknown Vendor
- Product
- Mobiliti e-mobi.hu vers:all/*
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-03
- Original CVE updated
- 2026-03-03
- Advisory published
- 2026-03-03
- Advisory updated
- 2026-03-03
Who should care
Operators and administrators of Mobiliti e-mobi.hu deployments, EV charging/OT asset owners, and SOC or incident-response teams monitoring WebSocket-based station control and authentication flows.
Technical summary
The advisory states that the backend associates sessions using charging-station identifiers instead of unguessable, per-session values. That design makes session identifiers predictable and allows multiple endpoints to bind to the same session identifier. The result is session hijacking or shadowing, where the most recent connection can replace the legitimate charging station and receive backend commands intended for that station. CISA also notes the issue may allow unauthorized users to authenticate as other users or create denial-of-service conditions by overwhelming the backend with valid session requests.
Defensive priority
High: network-reachable session handling weakness with direct command-routing impact, potential impersonation, and service disruption.
Recommended defensive actions
- Verify whether any Mobiliti e-mobi.hu deployments rely on charging-station identifiers as WebSocket session keys and treat exposed instances as potentially affected.
- Restrict backend and WebSocket access to trusted networks or VPN paths where possible, and monitor for duplicate session identifiers, repeated reconnects, and abnormal session replacement events.
- Move to unpredictable, server-generated session tokens and enforce strict one-session-per-station binding with collision rejection and re-authentication on reconnect.
- Add logging and alerting for session collisions, shadowing events, and unexpected command routing to the wrong station or endpoint.
- Follow CISA ICS recommended practices and defense-in-depth guidance, and contact Mobiliti using the vendor support page referenced in the advisory for remediation information.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-062-06 / CVE-2026-27764 and its linked official references. The source describes predictable WebSocket session identifiers, session hijacking/shadowing, unauthorized authentication risk, and potential denial of service. The source item also notes that Mobiliti did not respond to CISA's coordination request.
Official resources
-
CVE-2026-27764 CVE record
CVE.org
-
CVE-2026-27764 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-03-03. The source notes that Mobiliti did not respond to CISA's coordination request, and the advisory provides a vendor contact page for follow-up.