CVE-2026-22093

EVbee · EVbee Service

The EVbee Service Android app fails to validate server certificates and uses weak encryption, allowing network-based attackers to intercept and manipulate communication with charging stations.

Executive summary

A critical security flaw in the EVbee Service app enables man-in-the-middle attacks, allowing unauthorized access to sensitive charging station communication.

Vulnerability

The application performs improper certificate validation and relies on weak RC4 encryption with a hardcoded key. This allows an unauthenticated attacker positioned on the network path to decrypt, intercept, and manipulate traffic between the mobile application and the EVbee server.

Business impact

With a CVSS score of 9.5 (Critical), this vulnerability poses a severe risk to service integrity. An attacker could intercept access codes for charging stations, potentially leading to unauthorized usage, service disruption, or further exploitation of the connected infrastructure.

Remediation

Immediate Action: Update the EVbee Service application to version 1.4.7.10 or higher immediately.

Proactive Monitoring: Review network traffic patterns for signs of intercepted or anomalous encrypted communication originating from the EVbee Service application.

Compensating Controls: Advise users to avoid using the application on untrusted or public Wi-Fi networks until the update is applied, as these environments are most susceptible to man-in-the-middle interception.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The combination of improper certificate validation and weak, hardcoded encryption creates a significant security gap. Users must update the application immediately to ensure that communications are properly secured and that the risk of interception is eliminated.