Certificate Validation Issue in EVbee Service Android App by EVbee
CVE-2026-22093
9.5CRITICAL
What is CVE-2026-22093?
The EVbee Service Android app employs TLS encrypted communication but fails to validate the server's certificate. This oversight allows attackers on the network to intercept and manipulate interactions between the app and the EVbee server. Furthermore, the app uses weak encryption (RC4 with a hardcoded key), potentially exposing sensitive data such as access codes for charging stations. This vulnerability highlights the importance of robust certificate validation in secure app development.
Affected Version(s)
EVbee Service Android 0 < 1.4.7.10
References
CVSS V4
Score:
9.5
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Wilco van Beijnum (ElaadNL)
Jeroen van der Ham-de Vos (DIVD)
