CVE-2026-42952

Hydro-Québec · Le Circuit Electrique charging station backend

A lack of request throttling on the charging station backend of Le Circuit Electrique allows unauthenticated attackers to perform denial-of-service attacks.

Executive summary

A high-severity denial-of-service vulnerability in the Hydro-Québec Le Circuit Electrique charging station backend allows unauthenticated attackers to disrupt service via excessive requests.

Vulnerability

The system fails to implement throttling on authentication attempts (CWE-307), allowing unauthenticated attackers to overwhelm the service and trigger a denial-of-service condition.

Business impact

This vulnerability could result in the total unavailability of charging services for users, causing significant operational disruption and reputational harm. With a CVSS score of 7.5, the risk to service availability is substantial, particularly given the critical infrastructure nature of the software.

Remediation

Immediate Action: Ensure all charging stations have been updated as per the vendor's June 2026 update, which disables insecure OCPP configurations and implements proper authentication.

Proactive Monitoring: Monitor backend logs for spikes in authentication requests or abnormal traffic patterns that indicate a potential DoS attempt.

Compensating Controls: If stations cannot be updated, restrict network access to the charging station backend to authorized IP ranges only.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Operators of the affected charging infrastructure must verify that the June 2026 updates have been applied. Given the potential for service disruption, maintaining the integrity and availability of these controls is essential for continued operation.