Critical Vulnerabilities in Mobility46 EV Chargers Expose Admin Control Risks

Critical Flaws in Mobility46 EV Chargers Enable Unauthorized Admin Access

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed multiple critical vulnerabilities in Mobility46 electric vehicle (EV) charging stations, which could allow attackers to gain unauthorized administrative control or disrupt services via denial-of-service (DoS) attacks. The advisory, published under ICSA-26-057-08, highlights risks to operational technology (OT) environments.

Technical Details

The vulnerabilities affect Mobility46 charging station firmware and include:

• CVE-2026-23987: Authentication bypass flaw enabling admin access without credentials (CVSS: 9.8, Critical).
• CVE-2026-23988: Improper input validation leading to DoS conditions (CVSS: 7.5, High).

Exploitation requires network access to the charging station’s management interface. Attackers could manipulate settings, exfiltrate data, or render devices inoperable.

Impact Analysis

• Unauthorized Control: Threat actors could alter charging parameters, disable safety protocols, or deploy ransomware.
• Service Disruption: DoS attacks may halt charging operations, impacting critical infrastructure (e.g., fleet depots, public charging networks).
• Supply Chain Risks: Compromised stations could serve as pivot points for lateral movement in OT networks.

Recommendations

CISA urges stakeholders to:

1. Apply Patches: Update to the latest firmware version (refer to Mobility46’s advisory).
2. Isolate Networks: Segment charging stations from corporate IT and OT systems.
3. Monitor Traffic: Deploy intrusion detection systems (IDS) to detect anomalous activity.
4. Review CSAF: Consult the CSAF document for mitigation details.

Note: No active exploitation has been reported, but unpatched systems remain high-risk targets.

---

For further updates, follow CISA’s ICS Advisories.