Mobiliti e-mobi.hu

Plan PatchCVSS 9.4ICS-CERT ICSA-26-062-06Mar 3, 2026

EnergyTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

e-mobi.hu charging stations contain multiple authentication and session management vulnerabilities (CWE-306, CWE-307, CWE-613, CWE-522) that allow unauthorized administrative access over the network. Successful exploitation could enable attackers to gain administrative control of charging stations or disrupt charging services. Mobiliti did not respond to CISA coordination requests, and no patch is planned.

What this means

What could happen

An attacker who gains unauthorized administrative control of e-mobi.hu charging stations could modify charging parameters, disable charging services, or shut down the stations. Loss of EV charging infrastructure could disrupt transportation operations and emergency vehicle charging capabilities.

Who's at risk

Electric utility operators and transportation agencies that deploy e-mobi.hu EV charging stations should prioritize securing these devices. This affects public and private EV charging infrastructure used by fleets, municipalities, and commercial operators.

How it could be exploited

An attacker on the internet can access the e-mobi.hu charging station management interface without credentials due to missing authentication controls and weak session management. Once authenticated (or by bypassing authentication), the attacker can execute administrative commands to alter charging setpoints, disable stations, or cause denial-of-service conditions.

Prerequisites

Network connectivity to the internet-exposed e-mobi.hu charging station management interface
No valid credentials required—authentication is not properly enforced

remotely exploitableno authentication requiredlow complexityno patch availablecritical CVSS score (9.4)vendor non-responsive (no fix planned)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

e-mobi.hu: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/5

HARDENINGRestrict network access to e-mobi.hu charging station management interfaces—do not expose them directly to the internet. Place all charging stations behind a firewall and allow access only from authorized administrative networks.

HARDENINGImplement network segmentation to isolate charging station networks from business networks and the internet.

HARDENINGIf remote access to charging stations is required, use a Virtual Private Network (VPN) to provide secure, encrypted access from authorized locations only.

HARDENINGPerform a network audit to identify all e-mobi.hu charging stations currently accessible from the internet and document their locations and configurations.

WORKAROUNDContact Mobiliti at https://www.mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat to request information about security patches or alternative mitigation guidance, and report your findings.

CVEs (4)

CVE-2026-26051 CVE-2026-20882 CVE-2026-27764 CVE-2026-27777

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/94a9dc62-765c-4af7-993e-474df3d2cbbb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.