EV Energy ev.energy Improper Restriction of Excessive Authentication Attempts
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
EV Energy did not respond to CISA's request for coordination. Contact EV
Energy using their contact page here: https://www.ev.energy/en-us for
more information.
Exploits
Credits
finder
Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.