Charging Station Sessions Can Be Hijacked by Unsecured IDs

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

Charging Station Sessions Can Be Hijacked by Unsecured IDs

CVE-2026-25778

Summary

The charging station software doesn't properly keep track of user sessions, making it possible for an attacker to connect as someone else or overload the system with fake requests. This could allow unauthorized access or disrupt normal operations. Update the software to ensure unique and secure session IDs.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
swtchenergy	swtchenergy.com	All versions	–

Original title

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in p...

Original description

The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.

nvd CVSS3.1 7.5

nvd CVSS4.0 6.9

Vulnerability type

CWE-613

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05... Third Party Advisory
https://swtchenergy.com/contact/ Product
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06 Third Party Advisory US Government Resource

Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026