Mobility46 mobility46.se

Act Now9.4ICS-CERT ICSA-26-057-08Feb 26, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mobility46 charging stations contain multiple vulnerabilities (CWE-306 weak authentication, CWE-307 improper input validation, CWE-613 insufficient session management, CWE-522 credential exposure) in all versions. Successful exploitation enables attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks. Vendor has not responded to CISA coordination requests, and no patch is available.

What this means

What could happen

An attacker could gain administrative control of EV charging stations, allowing them to disrupt charging services, modify pricing, or prevent legitimate users from charging. Alternatively, attackers could cause denial-of-service conditions that render charging infrastructure unavailable.

Who's at risk

Fleet operators, municipalities, and utilities managing Mobility46 EV charging stations should care about this vulnerability. This affects any public or private charging infrastructure running Mobility46 hardware, particularly in locations where charging availability is critical to transportation services.

How it could be exploited

An unauthenticated attacker on the network can send specially crafted requests to the charging station's management interface (likely over HTTP/HTTPS on port 80/443 or proprietary ports) to bypass authentication checks. By exploiting weak or missing credential validation, the attacker gains administrative access and can issue commands to the charging station firmware or backend systems.

Prerequisites

Network-accessible charging station (reachable from attacker's network or internet if not behind firewall)
No valid credentials or ability to bypass authentication required

Remotely exploitableNo authentication requiredLow complexityNo patch availableCritical CVSS score (9.4)Affects critical infrastructure (EV charging)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

mobility46.se: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGIsolate affected Mobility46 charging stations from untrusted networks using firewall rules; restrict access to authorized management workstations only

WORKAROUNDEnable any available authentication mechanisms in station configuration; change default credentials if present

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor charging station logs and network traffic for unauthorized access attempts or administrative commands

HOTFIXContact Mobility46 directly at https://www.mobility46.se/en/contact-us to request security patches or guidance; evaluate replacement with patched alternative if vendor does not respond

Mitigations - no patch available

0/1

mobility46.se: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to separate charging infrastructure from corporate networks and public internet where feasible

CVEs (4)

CVE-2026-27028 CVE-2026-26305 CVE-2026-27647 CVE-2026-22878

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ed331b01-243b-47bd-a590-e7f08d8f9b11