CVE-2026-24912
Session Hijacking in WebSocket Backend via Predictable IDs
Publication date: 2026-03-06
Last updated on: 2026-05-06
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| epower | epower.ie | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the WebSocket backend of ePower charging stations, where the system uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier.
Because of this design flaw, session identifiers become predictable, enabling session hijacking or shadowing attacks. In such attacks, the most recent connection can displace the legitimate charging station and receive backend commands intended for that station.
This means unauthorized users could authenticate as other users or a malicious actor could cause a denial-of-service condition by overwhelming the backend with valid session requests.
How can this vulnerability impact me? :
The vulnerability can allow unauthorized users to impersonate legitimate charging stations, potentially gaining access to backend commands and control.
Additionally, a malicious actor could exploit this flaw to cause a denial-of-service (DoS) condition by flooding the backend with valid session requests, disrupting normal operations.
This could lead to service interruptions, unauthorized control, and potential operational disruptions of the charging stations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves predictable session identifiers in the WebSocket backend of ePower charging stations, allowing multiple endpoints to connect using the same session identifier and enabling session hijacking or shadowing.
To detect this vulnerability on your network or system, you should monitor for multiple simultaneous connections using the same session identifier to the WebSocket backend. Look for unusual session displacement events where a new connection replaces an existing legitimate session.
While no specific detection commands are provided, general network monitoring tools and WebSocket traffic analysis can be used to identify multiple connections sharing session identifiers. Commands or tools that capture and analyze WebSocket traffic, such as Wireshark with WebSocket protocol decoding, or custom scripts to log session identifiers and connection counts, may help detect this behavior.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include minimizing network exposure of the affected control system devices by isolating them behind firewalls and restricting access.
Use secure remote access methods such as VPNs to limit unauthorized access, while recognizing their limitations.
Perform impact analysis and risk assessments before deploying any mitigations and follow established internal procedures to report any suspected malicious activity.
Since no vendor fix or coordinated response from ePower has been provided, contacting ePower support for further guidance is recommended.