{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25113", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-02-23T23:48:14.377Z", "datePublished": "2026-02-26T23:59:46.758Z", "dateUpdated": "2026-03-10T19:20:52.878Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "swtchenergy.com", "vendor": "SWITCH EV", "versions": [{"status": "affected", "version": "All versions"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The WebSocket Application Programming Interface lacks restrictions on \nthe number of authentication requests. This absence of rate limiting may\n allow an attacker to conduct denial-of-service attacks by suppressing \nor mis-routing legitimate charger telemetry, or conduct brute-force \nattacks to gain unauthorized access."}], "value": "The WebSocket Application Programming Interface lacks restrictions on \nthe number of authentication requests. This absence of rate limiting may\n allow an attacker to conduct denial-of-service attacks by suppressing \nor mis-routing legitimate charger telemetry, or conduct brute-force \nattacks to gain unauthorized access."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-05T20:17:18.680Z"}, "references": [{"url": "https://swtchenergy.com/contact/"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-06.json"}], "source": {"advisory": "ICSA-26-057-06", "discovery": "EXTERNAL"}, "title": "SWITCH EV swtchenergy.com Improper Restriction of Excessive Authentication Attempts", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SWITCH EV did not respond to CISA's request for coordination. Contact \nSWITCH EV using their contact page here: \n<a target=\"_blank\" rel=\"nofollow\" href=\"https://swtchenergy.com/contact/\">https://swtchenergy.com/contact/</a> for more information.\n\n<br>"}], "value": "SWITCH EV did not respond to CISA's request for coordination. Contact \nSWITCH EV using their contact page here: \n https://swtchenergy.com/contact/ for more information."}], "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T19:20:42.058646Z", "id": "CVE-2026-25113", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:20:52.878Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25113", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T19:20:42.058646Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:27:55.540Z"}}], "cna": {"title": "SWITCH EV swtchenergy.com Improper Restriction of Excessive Authentication Attempts", "source": {"advisory": "ICSA-26-057-06", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SWITCH EV", "product": "swtchenergy.com", "versions": [{"status": "affected", "version": "All versions"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://swtchenergy.com/contact/"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-06.json"}], "workarounds": [{"lang": "en", "value": "SWITCH EV did not respond to CISA's request for coordination. Contact \nSWITCH EV using their contact page here: \n https://swtchenergy.com/contact/ for more information.", "supportingMedia": [{"type": "text/html", "value": "SWITCH EV did not respond to CISA's request for coordination. Contact \nSWITCH EV using their contact page here: \n<a target=\"_blank\" rel=\"nofollow\" href=\"https://swtchenergy.com/contact/\">https://swtchenergy.com/contact/</a> for more information.\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The WebSocket Application Programming Interface lacks restrictions on \nthe number of authentication requests. This absence of rate limiting may\n allow an attacker to conduct denial-of-service attacks by suppressing \nor mis-routing legitimate charger telemetry, or conduct brute-force \nattacks to gain unauthorized access.", "supportingMedia": [{"type": "text/html", "value": "The WebSocket Application Programming Interface lacks restrictions on \nthe number of authentication requests. This absence of rate limiting may\n allow an attacker to conduct denial-of-service attacks by suppressing \nor mis-routing legitimate charger telemetry, or conduct brute-force \nattacks to gain unauthorized access.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-05T20:17:18.680Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25113", "state": "PUBLISHED", "dateUpdated": "2026-03-10T19:20:52.878Z", "dateReserved": "2026-02-23T23:48:14.377Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-02-26T23:59:46.758Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:swtchenergy:swtchenergy.com:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BD9A325-1924-47AF-9E3C-51FEF069A2B4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WebSocket Application Programming Interface lacks restrictions on \nthe number of authentication requests. This absence of rate limiting may\n allow an attacker to conduct denial-of-service attacks by suppressing \nor mis-routing legitimate charger telemetry, or conduct brute-force \nattacks to gain unauthorized access."}, {"lang": "es", "value": "La Interfaz de Programaci\u00f3n de Aplicaciones WebSocket carece de restricciones sobre el n\u00famero de solicitudes de autenticaci\u00f3n. Esta ausencia de limitaci\u00f3n de velocidad puede permitir a un atacante realizar ataques de denegaci\u00f3n de servicio al suprimir o redirigir incorrectamente la telemetr\u00eda leg\u00edtima del cargador, o realizar ataques de fuerza bruta para obtener acceso no autorizado."}], "id": "CVE-2026-25113", "lastModified": "2026-03-05T21:16:15.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-02-27T00:16:56.853", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory"], "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-06.json"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://swtchenergy.com/contact/"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "swtchenergy.com", "source": "cna", "vendor": "SWITCH EV"}, "product": "swtchenergy.com", "vendor": "switch_ev"}], "analysis": {"en": {"generated_at": "2026-04-16T15:48:32.329659+00:00", "value": {"mitigation_remediation": ["Contact SWITCH EV via their contact page for remediation guidance.", "Limit exposure of the WebSocket API by applying firewall rules or network segmentation to restrict connections to trusted hosts.", "Implement application\u2011or network\u2011layer rate limiting on the authentication endpoint to throttle repeated attempts, preventing DoS and brute\u2011force attacks."], "summary": {"action": "Contact Vendor", "impact": "Denial of Service and Brute-Force Authentication"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WebSocket API of SWITCH EV's swtchenergy.com platform. Vendor SWITCH EV provides the product at swtchenergy.com, but no specific version or build information is disclosed in the advisory.", "description_and_impact": "The WebSocket application programming interface exhibits a CWE\u2011307 (Improper Restriction of Excessive Authentication Attempts) by not enforcing any restrictions on the number of authentication attempts, which allows an attacker to abuse the authentication mechanism. This flaw can be leveraged to perform denial\u2011of\u2011service attacks by flooding the telemetry channel, or to conduct brute\u2011force attempts to gain unauthorized access, compromising the integrity of charger data and network security.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of active exploitation at this time. The flaw is not listed in the KEV catalog. The likely attack vector is remote, over the network via WebSocket connections, requiring no privileged access. If exploited, an attacker could disrupt telemetry flows, cause service outages, or eventually elevate privileges through repeated authentication attempts."}}}}, "created": "2026-02-27T09:03:25.271953+00:00", "updated": "2026-04-16T16:00:13.862345+00:00", "vendors": ["switch_ev", "switch_ev$PRODUCT$swtchenergy.com"]}