Description
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Published: 2026-02-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential credential compromise via publicly accessible mapping platforms
Action: Monitor
AI Analysis

Impact

The vulnerability enables an attacker to discover charging station authentication identifiers through publicly accessible web‑based mapping platforms. Because these IDs are not protected, the exposure can lead to credential compromise, granting unauthorized access to station functions or data. The weakness is categorized as CWE‑522 and presents a moderate confidentiality risk.

Affected Systems

EV Energy’s ev.energy charging station platform is affected; no specific version information is supplied, so all releases of the platform should be considered at risk.

Risk and Exploitability

This issue receives a CVSS score of 6.9, indicating moderate severity. The EPSS score is less than 1%, reflecting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, involving web traffic that exposes credential data via mapping services, and requires the attacker to access or probe the public mapping URLs in order to retrieve authentication identifiers.

Generated by OpenCVE AI on April 15, 2026 at 20:10 UTC.

Remediation

Vendor Workaround

EV Energy did not respond to CISA's request for coordination. Contact EV Energy using their contact page here: https://www.ev.energy/en-us for more information.

OpenCVE Recommended Actions

  • Contact EV Energy through their contact page (https://www.ev.energy/en-us) to obtain any available patch, guidance, or additional mitigation steps.
  • Restrict network perimeter by blocking or limiting access to the web‑based mapping platforms that expose charging station credentials, using firewall or router rules.
  • Enforce strong authentication on all charging stations, including multi‑factor authentication where possible, and rotate credentials regularly to reduce the window of exposure.

Generated by OpenCVE AI on April 15, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Ev.energy
Ev.energy ev.energy
CPEs cpe:2.3:a:ev.energy:ev.energy:*:*:*:*:*:*:*:*
Vendors & Products Ev.energy
Ev.energy ev.energy

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Ev Energy
Ev Energy ev.energy
Vendors & Products Ev Energy
Ev Energy ev.energy

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Title EV Energy ev.energy Insufficiently Protected Credentials
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ev.energy Ev.energy
Ev Energy Ev.energy
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-08T15:03:34.669Z

Reserved: 2026-02-24T00:16:49.664Z

Link: CVE-2026-25774

cve-icon Vulnrichment

Updated: 2026-03-03T01:30:45.580Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T01:16:20.123

Modified: 2026-03-05T21:16:16.203

Link: CVE-2026-25774

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:15:13Z

Weaknesses
  • CWE-522

    Insufficiently Protected Credentials