PatchSiren cyber security CVE debrief
CVE-2026-27778 Unknown Vendor CVE debrief
CVE-2026-27778 is a network-reachable availability issue in ePower epower.ie. CISA says the product’s WebSocket API lacks restrictions on authentication request volume, which can let an attacker overwhelm the service, suppress or mis-route charger telemetry, or attempt brute-force access. The advisory rates the issue 7.5 (HIGH) with a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
- Vendor
- Unknown Vendor
- Product
- ePower epower.ie vers:all/*
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-03
- Original CVE updated
- 2026-03-03
- Advisory published
- 2026-03-03
- Advisory updated
- 2026-03-03
Who should care
Operators of ePower/epower.ie deployments, OT/ICS security teams, charger fleet administrators, and incident responders should care because the flaw can affect service availability and telemetry integrity without requiring prior access.
Technical summary
The advisory describes a missing rate limit on WebSocket authentication requests. Because the weakness is exposed over the network and does not require privileges or user interaction, an attacker could repeatedly send authentication attempts to degrade service availability and potentially brute-force credentials. CISA lists the affected product as ePower / epower.ie, version scope vers:all/*, and maps the issue to CWE-307 (Improper Restriction of Excessive Authentication Attempts).
Defensive priority
High
Recommended defensive actions
- Review whether any ePower/epower.ie systems are exposed to untrusted networks and restrict access to the WebSocket interface where possible.
- Apply vendor guidance if it becomes available; CISA notes that ePower did not respond to its coordination request and provides the vendor support page in the advisory.
- Implement compensating controls such as network segmentation, allowlisting, and monitoring for repeated authentication attempts or unusual charger telemetry patterns.
- Increase logging and alerting around WebSocket authentication failures, connection bursts, and telemetry anomalies.
- Use CISA ICS recommended practices and defense-in-depth guidance for OT environments while awaiting a product fix.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-062-07, published 2026-03-03, which states: the WebSocket API lacks restrictions on the number of authentication requests; this can enable denial-of-service attacks that suppress or mis-route charger telemetry, or brute-force attacks to gain unauthorized access. The advisory lists the product as ePower / epower.ie / vers:all/*, includes CWE-307, and records the initial publication on 2026-03-03. The remediation section says ePower did not respond to CISA’s coordination request and points to the vendor support page.
Official resources
-
CVE-2026-27778 CVE record
CVE.org
-
CVE-2026-27778 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-03-03 in ICSA-26-062-07; the advisory notes that ePower did not respond to CISA’s coordination request.