CVE-2026-22093
EVbee · EVbee Service
The EVbee Service Android app fails to validate server certificates and uses weak encryption, allowing network-based attackers to intercept and manipulate communication with charging stations.
Executive summary
A critical security flaw in the EVbee Service app enables man-in-the-middle attacks, allowing unauthorized access to sensitive charging station communication.
Vulnerability
The application performs improper certificate validation and relies on weak RC4 encryption with a hardcoded key. This allows an unauthenticated attacker positioned on the network path to decrypt, intercept, and manipulate traffic between the mobile application and the EVbee server.
Business impact
With a CVSS score of 9.5 (Critical), this vulnerability poses a severe risk to service integrity. An attacker could intercept access codes for charging stations, potentially leading to unauthorized usage, service disruption, or further exploitation of the connected infrastructure.
Remediation
Immediate Action: Update the EVbee Service application to version 1.4.7.10 or higher immediately.
Proactive Monitoring: Review network traffic patterns for signs of intercepted or anomalous encrypted communication originating from the EVbee Service application.
Compensating Controls: Advise users to avoid using the application on untrusted or public Wi-Fi networks until the update is applied, as these environments are most susceptible to man-in-the-middle interception.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The combination of improper certificate validation and weak, hardcoded encryption creates a significant security gap. Users must update the application immediately to ensure that communications are properly secured and that the risk of interception is eliminated.