CVE-2026-22093 PUBLISHED

Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app

Assigner: DIVD
Reserved: 06.01.2026 Published: 13.07.2026 Updated: 13.07.2026

The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations.

This issue affects EVbee Service: v1.4.101.00.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L
CVSS Score: 9.5

Product Status

Vendor EVbee
Product EVbee Service
Versions Default: unaffected
  • affected from 0 to 1.4.7.10 (excl.)

Credits

  • Wilco van Beijnum (ElaadNL) finder
  • Jeroen van der Ham-de Vos (DIVD) analyst

References

Problem Types

  • CWE-295 Improper Certificate Validation CWE