Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app
Summary
| CVE | CVE-2026-22093 |
|---|---|
| State | PUBLISHED |
| Assigner | DIVD |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-13 10:16:26 UTC |
| Updated | 2026-07-13 17:44:34 UTC |
| Description | The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations. This issue affects EVbee Service: v1.4.101.00. |
Risk And Classification
Primary CVSS: v4.0 9.5 CRITICAL from [email protected]
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.002030000 probability, percentile 0.103110000 (date 2026-07-14)
Problem Types: CWE-295 | CWE-295 CWE-295 Improper Certificate Validation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 9.5 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L/E:X/C... |
| 4.0 | CNA | CVSS | 9.5 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
PresentPrivileges Required
NoneUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
NoneSub Conf.
HighSub Integrity
HighSub Availability
LowCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | EVbee | EVbee Service | affected 1.4.7.10 semver | Android |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| csirt.divd.nl/DIVD-2026-00001 | [email protected] | csirt.divd.nl | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Wilco van Beijnum (ElaadNL) (en)
CNA: Jeroen van der Ham-de Vos (DIVD) (en)
There are currently no legacy QID mappings associated with this CVE.