Back to overview

CVE-2026-22093

CRITICAL
9.5
CVSS 4.0
Description
The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations. This issue affects EVbee Service: v1.4.101.00.

Metadata

CVE ID
CVE-2026-22093
State
PUBLISHED
Assigner
DIVD
Reserved
2026-01-06 11:08 UTC
Published
2026-07-13 09:10 UTC
Last updated
2026-07-13 13:12 UTC
Primary CWE
CWE-295
CWE-295 Improper Certificate Validation
Vendor / Product
EVbee / EVbee Service
Sources
cve.org  ·  NVD

Severity & Metrics

9.5 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
EVbee EVbee Service Android 0 < 1.4.7.10
Weakness (CWE)
CWESourceDescription
CWE-295 cna CWE-295 Improper Certificate Validation
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.5 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L
Back to overview