External risk intelligence

EVbee Service App Weak TLS Certificate Validation and RC4 Encryption Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.5)

CVE-2026-22093

This vulnerability exists within a client-side Android application that communicates with a backend server. Exploitation requires an attacker to be positioned on the specific network path between the mobile device and the server to perform a man-in-the-middle attack, rather than targeting a public-facing service, endpoint, or appliance directly.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves the EVbee Service Android app, which does not properly validate server certificates, potentially allowing network attackers to intercept and read communication, including access codes for charging stations. The encryption used is also weak and uses a hardcoded key.

  • App communication can be intercepted and read.
  • Critical charging station access codes are exposed.
  • Confirm relevance and exposure to EVbee Service users.

Attack Path

How an attacker could exploit the issue

An attacker on the same network as the EVbee Service Android app could intercept communication by exploiting the app's failure to validate the server's certificate. This would allow them to read and modify the traffic, potentially gaining access to sensitive information like charging station access codes. The communication is further weakened by weak encryption with a hardcoded key, making it easier for an attacker to compromise the data.

  • Attacker must be on the app's network.
  • App fails to validate server's certificate.
  • Compromise of charging station access codes.

Live Threat

Current exploitation, exposure, and threat context

The EVbee Service Android app could allow an attacker on the network path to intercept and manipulate communications with the server. When supported by the advisory, this manipulation could grant access to charging station access codes, as the traffic is weakly encrypted.

  • Charging station access codes.
  • Attacker intercepts network traffic.
  • Unauthorized access to charging stations.

Operational Fix

Recommended remediation, mitigation, and detection steps

The EVbee Service Android app's handling of TLS certificates and weak encryption with RC4 and a hardcoded key creates a significant risk for attackers to intercept and manipulate communication, potentially gaining access to charging station codes. Real-world responsibility likely falls to the teams managing the mobile application, the backend infrastructure supporting it, and potentially vendor management if EVbee is a third-party service. The first practical step involves identifying all instances of the affected app, assessing their reachability and criticality to business operations, and then locating the accountable owner to plan remediation based on the identified risk.

  • Application and platform teams should own the issue.
  • Verify app reachability and business criticality first.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the EVbee Service app?

EVbee Service is an Android application designed to manage and interact with electric vehicle charging infrastructure. Users typically rely on it to communicate with backend servers to perform operational tasks, which often include retrieving access codes to initiate charging sessions at specific stations.

What does CWE-295 mean for CVE-2026-22093?

CWE-295 is the weakness class for improper certificate validation. In this CVE, it means the app fails to verify that the server it is talking to is actually the genuine EVbee server. Because the app accepts any certificate presented to it, a malicious actor can impersonate the server and intercept the data stream.

How does an attacker trigger this vulnerability?

An attacker must be positioned on the same network path as the mobile device, such as on a public Wi-Fi network, to intercept traffic. Simply having the app installed does not trigger the bug; the attacker must actively intercept the connection while the user is using the app to communicate with the server.

Is my device at risk if it is not internet-facing?

Halo Surface Signal notes that this risk is very unlikely because it requires an attacker to be on the specific network path between your mobile device and the server. It is not an internet-facing service or appliance, so you are primarily at risk when using the app on untrusted or shared network connections.

What should I do if I use the EVbee Service app?

Identify where this app is deployed within your organization and determine if its usage involves sensitive charging operations. Coordinate with your application management or IT team to evaluate the risks of continued use and monitor for official updates from the vendor that address the certificate validation and encryption weaknesses.

References