Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for EVbee Service by EVbee

    CVE-2026-22093 (GCVE-0-2026-22093)

    Vulnerability from nvd – Published: 2026-07-13 09:10 – Updated: 2026-07-13 13:12
    VLAI
    Title
    Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app
    Summary
    The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations. This issue affects EVbee Service: v1.4.101.00.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    References
    URL Tags
    https://csirt.divd.nl/DIVD-2026-00001/ third-party-advisory
    Impacted products
    Vendor Product Version
    EVbee EVbee Service Affected: 0 , < 1.4.7.10 (semver)
    Create a notification for this product.
    Credits
    Wilco van Beijnum (ElaadNL) Jeroen van der Ham-de Vos (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22093",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T13:12:49.972968Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T13:12:56.764Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "EVbee Service",
              "vendor": "EVbee",
              "versions": [
                {
                  "lessThan": "1.4.7.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wilco van Beijnum (ElaadNL)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jeroen van der Ham-de Vos (DIVD)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the\u0026nbsp;communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects EVbee Service: v1.4.101.00.\u003c/p\u003e"
                }
              ],
              "value": "The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the\u00a0communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations.\n\n\n\n\n\nThis issue affects EVbee Service: v1.4.101.00."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T09:10:56.109Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/DIVD-2026-00001/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adversary-in-the-Middle (AitM) attack  vulnerability in EVbee Service app",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2026-22093",
        "datePublished": "2026-07-13T09:10:56.109Z",
        "dateReserved": "2026-01-06T11:08:58.181Z",
        "dateUpdated": "2026-07-13T13:12:56.764Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22093 (GCVE-0-2026-22093)

    Vulnerability from cvelistv5 – Published: 2026-07-13 09:10 – Updated: 2026-07-13 13:12
    VLAI
    Title
    Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app
    Summary
    The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations. This issue affects EVbee Service: v1.4.101.00.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    References
    URL Tags
    https://csirt.divd.nl/DIVD-2026-00001/ third-party-advisory
    Impacted products
    Vendor Product Version
    EVbee EVbee Service Affected: 0 , < 1.4.7.10 (semver)
    Create a notification for this product.
    Credits
    Wilco van Beijnum (ElaadNL) Jeroen van der Ham-de Vos (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22093",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T13:12:49.972968Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T13:12:56.764Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "EVbee Service",
              "vendor": "EVbee",
              "versions": [
                {
                  "lessThan": "1.4.7.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wilco van Beijnum (ElaadNL)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jeroen van der Ham-de Vos (DIVD)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the\u0026nbsp;communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects EVbee Service: v1.4.101.00.\u003c/p\u003e"
                }
              ],
              "value": "The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the\u00a0communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations.\n\n\n\n\n\nThis issue affects EVbee Service: v1.4.101.00."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T09:10:56.109Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/DIVD-2026-00001/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Adversary-in-the-Middle (AitM) attack  vulnerability in EVbee Service app",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2026-22093",
        "datePublished": "2026-07-13T09:10:56.109Z",
        "dateReserved": "2026-01-06T11:08:58.181Z",
        "dateUpdated": "2026-07-13T13:12:56.764Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }