The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations.





This issue affects EVbee Service: v1.4.101.00.

Project Subscriptions

Vendors Products
Evbee Service Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
History

Mon, 13 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Evbee
Evbee evbee Service
Vendors & Products Evbee
Evbee evbee Service

Mon, 13 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 13 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
Description The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations. This issue affects EVbee Service: v1.4.101.00.
Title Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: DIVD

Published:

Updated: 2026-07-13T13:12:56.764Z

Reserved: 2026-01-06T11:08:58.181Z

Link: CVE-2026-22093

cve-icon Vulnrichment

Updated: 2026-07-13T13:12:52.821Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-13T14:38:09Z

Weaknesses