Back to Intelligence

Defending Against Critical IGL-Technologies eParking.fi Vulnerabilities (CVSS 9.4) in EV Charging Infrastructure

SA
Security Arsenal Team
April 3, 2026
5 min read

Cybersecurity threats against Operational Technology (OT) and critical infrastructure are evolving rapidly. A recent CISA advisory (ICSA-26-078-07) highlights a critical set of vulnerabilities affecting IGL-Technologies eParking.fi software, widely used in Electric Vehicle (EV) charging management. With a CVSS score of 9.4, these flaws present a severe risk to Energy and Transportation Systems sectors worldwide.

This post analyzes the technical details of CVE-2026-29796 and associated issues, providing defenders with actionable detection rules and remediation strategies.

Technical Analysis

Affected Product: IGL-Technologies eParking.fi (All versions)

CVE Identified: CVE-2026-29796 (alongside other identified weaknesses)

Vulnerability Class: The advisory identifies multiple security issues including:

  • Missing Authentication for Critical Function
  • Improper Restriction of Excessive Authentication Attempts
  • Insufficient Session Expiration
  • Insufficiently Protected Credentials

Severity: CVSS v3 9.4 (CRITICAL)

Impact: Successful exploitation allows attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt services via Denial-of-Service (DoS) attacks. Given the integration with energy grids, the availability and integrity of these systems are paramount.

Defensive Monitoring

Defenders must assume that active scanning or exploitation attempts may already be underway. The following detection mechanisms focus on identifying exploitation behaviors on the management servers running eParking.fi or associated web services.

SIGMA Detection Rules

The following SIGMA rules detect common post-exploitation behaviors associated with web application vulnerabilities, such as web shells or unauthorized process spawning.

YAML
---
title: Potential Web Shell Creation in Web Directories
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the creation of suspicious files in common web directories which may indicate web shell upload following exploitation of authentication vulnerabilities.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-07
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\\inetpub\\wwwroot\\'
      - '\\wwwroot\\'
      - '\\htdocs\\'
    TargetFilename|endswith:
      - '.aspx'
      - '.asp'
      - '.php'
  condition: selection
falsepositives:
  - Legitimate administrative software updates
  - Legitimate web application development
level: high
---
title: Web Server Process Spawning System Shell
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects web server processes spawning cmd.exe or powershell.exe, often indicative of successful Remote Code Execution (RCE) or authentication bypass exploitation.
references:
  - https://attack.mitre.org/techniques/T1059/
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-07
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\\w3wp.exe'
      - '\\httpd.exe'
      - '\\nginx.exe'
      - '\\java.exe'
    Image|endswith:
      - '\\cmd.exe'
      - '\\powershell.exe'
      - '\\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative scripts run by developers
  - Server management tools
level: critical

KQL Queries (Microsoft Sentinel/Defender)

Use these queries to hunt for signs of brute force attacks or suspicious administrative activity related to the eParking.fi management interface.

KQL — Microsoft Sentinel / Defender
// Hunt for excessive failed login attempts (Brute Force)
// Adjust the 'ServiceName' or 'TargetUserName' based on your specific eParking.fi logs if ingested
SigninLogs
| where ResultType == "50126" or ResultType == "50053" // Failure codes example
| summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 5m)
| where count_ > 5
| project TimeGenerated, UserPrincipalName, IPAddress, count_
| order by TimeGenerated desc


// Detect successful administrative logins from unfamiliar locations or devices
// This helps identify unauthorized administrative control gained via auth bypass
DeviceLogonEvents
| where ActionType == "LogonSuccess" and LogonType == "10" // RemoteInteractive
| extend OSVer = tostring(OSVersion)
| project Timestamp, AccountName, AccountDomain, DeviceName, RemoteIP, RemoteDeviceName
| order by Timestamp desc

Velociraptor VQL Hunt

These VQL artifacts are designed to hunt for web shells or suspicious modifications on the endpoint hosting the management software.

VQL — Velociraptor
-- Hunt for recently modified ASPX/PHP files in web directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='C:\\inetpub\wwwroot\**\*.aspx')
  OR glob(globs='C:\\inetpub\wwwroot\**\*.php')
WHERE Mtime > timestamp(now) - 3600
   OR Size < 5  -- Detect tiny web shells

-- Hunt for processes spawned by IIS worker processes
SELECT Name, Pid, Ppid, Exe, CommandLine, StartTime
FROM pslist()
WHERE Ppid IN (SELECT Pid FROM pslist() WHERE Name =~ "w3wp")
  AND Name =~ "(cmd|powershell|pwsh)"

PowerShell Verification

This script helps identify if unauthorized local users have been created, a common step after gaining administrative control.

PowerShell
<#
.SYNOPSIS
    Audit local users for suspicious creation dates.
.DESCRIPTION
    Checks for local user accounts created recently or with suspicious characteristics.
#>

$CutoffDate = (Get-Date).AddDays(-7)
$SuspiciousUsers = Get-LocalUser | Where-Object { $_.LastLogon -gt $CutoffDate -or $_.PasswordLastSet -gt $CutoffDate }

if ($SuspiciousUsers) {
    Write-Host "[!] Potential unauthorized user activity detected:" -ForegroundColor Red
    $SuspiciousUsers | Format-Table Name, PrincipalSource, LastLogon, PasswordLastSet, Enabled
} else {
    Write-Host "[+] No suspicious local user accounts found within the last 7 days." -ForegroundColor Green
}

Remediation

Organizations utilizing IGL-Technologies eParking.fi must act immediately to secure their environments.

  1. Patch and Update: Contact IGL-Technologies or check the vendor portal immediately for the latest security patches addressing CVE-2026-29796. Apply patches to all affected instances.

  2. Isolate Management Systems: If immediate patching is not possible, place the management systems behind a VPN and restrict access strictly to necessary administrative IP ranges. Do not expose the management interface directly to the public internet.

  3. Audit Access: Conduct a thorough audit of system logs for the past 30 days. Look for successful logins outside of business hours or from unusual geographic locations.

  4. Reset Credentials: Assume that credentials may have been exposed due to "Insufficiently Protected Credentials" flaws. Force a password reset for all administrative accounts and enforce strong password complexity.

  5. Network Segmentation: Ensure EV charging stations are segmented from the corporate IT network. Limit communication strictly to required protocols and ports.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socthreat-intelmanaged-socics-securityev-chargingpatch-managementcritical-infrastructurecisa

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action