← voltar
CVE-2026-22093

Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app

CVSS 9.5 CRITICALCWE-295
Vexday Risk Score
25Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 9.5EPSS KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
13 jul 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations. This issue affects EVbee Service: v1.4.101.00.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L
Produtos afetados
EVbee · EVbee Service