PatchSiren cyber security CVE debrief
CVE-2026-27777 Unknown Vendor CVE debrief
CVE-2026-27777 describes an information-disclosure issue in Mobiliti e-mobi.hu affecting charging-station authentication identifiers that are publicly accessible through web-based mapping platforms. CISA published the advisory on 2026-03-03 and notes Mobiliti did not respond to coordination requests. The exposed data is the primary concern; the advisory does not describe code execution or service disruption, but accessible authentication identifiers can still increase risk for charging infrastructure operators.
- Vendor
- Unknown Vendor
- Product
- Mobiliti e-mobi.hu vers:all/*
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-03
- Original CVE updated
- 2026-03-03
- Advisory published
- 2026-03-03
- Advisory updated
- 2026-03-03
Who should care
Operators, administrators, and maintainers of Mobiliti / e-mobi.hu charging infrastructure; organizations that publish or integrate charging-station location data with web mapping platforms; defenders responsible for EV charging systems and adjacent web services.
Technical summary
The advisory states that charging station authentication identifiers are publicly accessible via web-based mapping platforms. The CVSS 3.1 vector provided is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, which aligns with a network-reachable disclosure issue with low complexity and no privileges required. The source material references CWE-522, suggesting improper protection of credentials or authentication material. No KEV listing is indicated in the supplied corpus.
Defensive priority
Moderate to high for exposed operators, because the issue is externally reachable and requires no privileges; prioritize systems where charging-station identifiers are published or aggregated online.
Recommended defensive actions
- Inventory any Mobiliti / e-mobi.hu deployments and identify where charging-station authentication identifiers are stored, published, or mirrored.
- Remove or restrict public access to identifiers in web-based mapping platforms and related APIs, and verify that only the minimum necessary metadata is exposed.
- Review access controls, data publishing workflows, and account/identifier management for charging infrastructure.
- Rotate or reissue any authentication identifiers if exposure could affect trust, account separation, or operational access.
- Apply CISA-referenced ICS defensive practices and defense-in-depth guidance to the affected environment.
- Monitor for unexpected access, scraping, or reuse of exposed identifiers.
- Follow the vendor contact path referenced in the advisory if additional remediation guidance is needed.
Evidence notes
Primary evidence comes from CISA advisory ICSA-26-062-06 / CVE-2026-27777, published 2026-03-03, which states: "Charging station authentication identifiers are publicly accessible via web-based mapping platforms." The advisory lists CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, references CWE-522, and records that Mobiliti did not respond to CISA's coordination request. The supplied corpus does not indicate a KEV entry.
Official resources
-
CVE-2026-27777 CVE record
CVE.org
-
CVE-2026-27777 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA publicly released ICSA-26-062-06 for CVE-2026-27777 on 2026-03-03. The advisory says Mobiliti did not respond to coordination requests. No KEV date is listed in the supplied corpus.