CVE-2026-44383 in Le Circuit Electrique charging station backendinfo

Summary

by MITRE • 07/11/2026

Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

This vulnerability represents a critical resource exhaustion flaw in charging station management systems that enables denial of service attacks through excessive concurrent connections. The issue stems from insufficient connection limiting mechanisms within the backend infrastructure that processes Open Charge Point Protocol communications. When multiple malicious OCPP client instances establish simultaneous connections using identical charging station identifiers, they can overwhelm system resources including memory allocation, thread pools, and database connection handlers.

The technical implementation flaw allows for unlimited concurrent connections per charging station ID, creating an attack surface where adversaries can spawn numerous fake client instances to exhaust available backend resources. This vulnerability directly maps to CWE-400 which describes "Uncontrolled Resource Consumption" and aligns with ATT&CK technique T1499.100 for "Endpoint Denial of Service" through resource exhaustion attacks. The backend system fails to implement proper connection rate limiting, session validation, or charging station ID uniqueness enforcement mechanisms that would normally prevent such abuse patterns.

Operationally, this vulnerability enables attackers to disrupt legitimate charging operations by consuming all available system resources and preventing new connections from being established. Charging stations may become unavailable for genuine users while the malicious clients maintain persistent connections, effectively creating a service disruption that impacts both business operations and customer experience. The impact extends beyond simple availability issues as the backend may crash or become unresponsive to legitimate charging requests.

Mitigation strategies should focus on implementing robust connection rate limiting policies with per-charging-station connection caps, enforcing proper authentication mechanisms, and deploying automated monitoring systems to detect unusual connection patterns. The system architecture must incorporate connection validation checks that verify authentic charging station identities before establishing persistent sessions. Network-level firewalls and load balancers should be configured to limit concurrent connections from single IP addresses or charging station identifiers. Additionally, implementing circuit breaker patterns and graceful degradation mechanisms will help maintain system stability even when under attack. Regular security audits should validate that connection limits are properly enforced and that the backend can handle expected traffic loads without resource exhaustion vulnerabilities.

Responsible

Icscert

Reservation

05/07/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!