Mobiliti e-mobi.hu

Act Now9.4ICS-CERT ICSA-26-062-06Mar 3, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mobiliti e-mobi.hu charging station controllers contain multiple authentication and encryption weaknesses (CWE-306, CWE-307, CWE-522, CWE-613) that allow remote attackers to bypass access controls and gain unauthorized administrative access without valid credentials. Successful exploitation enables attackers to reconfigure charging station settings, alter charging behavior, or disable charging services. The vulnerability affects all versions of e-mobi.hu, and Mobiliti has not responded to CISA coordination requests.

What this means

What could happen

An attacker could gain unauthorized administrative access to e-mobi.hu charging station controllers and disrupt EV charging services, potentially impacting transportation and energy sector operations that depend on public charging infrastructure.

Who's at risk

Energy and transportation operators using Mobiliti e-mobi.hu EV charging station controllers should be concerned. This affects public charging networks, fleet operators with managed charging infrastructure, and utilities that provide EV charging as part of grid modernization efforts.

How it could be exploited

An attacker on the network can exploit weak authentication mechanisms (CWE-306, CWE-307) and insecure data transmission (CWE-522) to bypass access controls and obtain administrative credentials without authentication. Once authenticated, the attacker can reconfigure charging station behavior, alter power delivery, or deny service to legitimate users.

Prerequisites

Network access to the e-mobi.hu charging station management interface (port/service unspecified in advisory)
No valid credentials required to exploit authentication weaknesses

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical infrastructure (energy/transportation)actively developed product with unresponsive vendor

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

e-mobi.hu: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGEnsure e-mobi.hu charging stations are not directly accessible from the Internet; isolate them behind firewalls on a separate network segment from business systems

WORKAROUNDContact Mobiliti support at https://www.mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat to request security guidance and track availability of patches

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access to charging stations is required, implement a VPN with current security patches and strong authentication (multi-factor where possible)

HARDENINGMonitor network traffic to and from charging station controllers for signs of unauthorized access attempts or unusual administrative activity

CVEs (4)

CVE-2026-26051 CVE-2026-20882 CVE-2026-27764 CVE-2026-27777

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/94a9dc62-765c-4af7-993e-474df3d2cbbb