Mobility46 mobility46.se

Plan PatchCVSS 9.4ICS-CERT ICSA-26-057-08Feb 26, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mobility46 charging stations contain multiple authentication and credential storage vulnerabilities (CWE-306, CWE-307, CWE-522, CWE-613) affecting all versions. Successful exploitation allows attackers to gain unauthorized administrative control over charging stations or disrupt charging services through denial-of-service attacks. The vendor did not respond to CISA coordination requests and no patch has been released.

What this means

What could happen

An attacker could gain administrative control over EV charging stations, allowing them to alter charging parameters, disable stations, or disrupt charging services. This could impact facility operations and strand electric vehicles unable to charge.

Who's at risk

EV charging station operators and facility managers responsible for public or private charging infrastructure powered by Mobility46 charging stations should be concerned. This affects municipal utilities, commercial parking operators, and fleet charging facilities.

How it could be exploited

An attacker with network access to a charging station could exploit authentication weaknesses (CWE-306, CWE-307) or insecure credential storage (CWE-522) to gain administrative access without valid credentials. No user interaction is required.

Prerequisites

Network access to the charging station management interface or API
No valid credentials required due to authentication bypass

remotely exploitableno authentication requiredlow complexityno patch availablevendor did not respond to coordination requests

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

mobility46.se: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDContact Mobility46 via their support page (https://www.mobility46.se/en/contact-us) to request security updates or patches, or to determine if a migration path to a fixed version exists

HARDENINGRestrict network access to charging station management interfaces using firewall rules; allow only authorized administrative devices and networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor charging station logs and administrative access for suspicious activity or unauthorized configuration changes

Mitigations - no patch available

0/1

mobility46.se: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate charging station infrastructure from general corporate IT networks

CVEs (4)

CVE-2026-27028 CVE-2026-26305 CVE-2026-27647 CVE-2026-22878

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ed331b01-243b-47bd-a590-e7f08d8f9b11

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.