Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Published: 2026-03-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Disable Platform
AI Analysis

Impact

WebSocket endpoints in the Everon api.everon.io platform lack authentication, allowing an attacker to impersonate a charging station. By connecting to the OCPP WebSocket endpoint with a known or easily discoverable station identifier, the attacker can issue or receive OCPP commands as if it were a legitimate charger. This flaw can result in unauthorized control of charging infrastructure, corruption of network data sent to the backend, and overall escalation of privileges for the attacker. The weakness is identified as CWE-306, Missing Authentication for a Critical Function.

Affected Systems

The vulnerability targets the Everon:api.everon.io product line. Version information is not specified in the available data. The platform was shut down on December 1, 2025, removing the immediate risk, but any legacy installations that remain may still be susceptible if not updated or removed.

Risk and Exploitability

The CVSS score of 9.3 classifies the issue as a critical risk. The EPSS score is below 1%, suggesting that exploit attempts appear rare, though the flaw is present. It is not listed in the CISA KEV catalog, indicating no confirmed exploitation to date. An attacker could target the platform from anywhere that can reach the OCPP WebSocket endpoints, requiring only network access without authentication. The absence of authentication means that any such attacker can immediately elevate privileges and manipulate charging data.

Generated by OpenCVE AI on April 16, 2026 at 11:22 UTC.

Remediation

Vendor Workaround

Everon has shut down their platform on December 1st, 2025.

OpenCVE Recommended Actions

  • Confirm the Everon platform has been shut down and remove any remaining instances from the network.
  • If any instances are still in operation, enforce authentication on all OCPP WebSocket endpoints—require client certificates or server-side token verification before accepting connections.
  • Continuously monitor OCPP traffic for unauthorized commands and verify that authentication controls remain effective and uncompromised.

Generated by OpenCVE AI on April 16, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Everon
Everon api.everon.io
Vendors & Products Everon
Everon api.everon.io

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Title Everon api.everon.io Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Everon Api.everon.io
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-10T17:59:22.789Z

Reserved: 2026-02-25T15:28:27.119Z

Link: CVE-2026-26288

cve-icon Vulnrichment

Updated: 2026-03-10T17:48:05.655Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T16:16:10.723

Modified: 2026-03-10T18:18:43.443

Link: CVE-2026-26288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses