Description
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
Published: 2026-02-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Control of Charging Infrastructure
Action: Patch ASAP
AI Analysis

Impact

This vulnerability stems from missing authentication on the OCPP WebSocket endpoints of the SWITCH EV software. An attacker can connect to the endpoint without credentials, impersonate charging stations, and issue or receive OCPP commands as if they were a legitimate charger. The resulting impact includes the ability to gain unauthorized control over charging infrastructure and to corrupt the data reported to the backend, potentially disrupting network integrity and availability.

Affected Systems

The product affected is SWITCH EV’s swtchenergy.com software. All releases that expose the WebSocket OCPP interface without authentication are vulnerable; specific patch-level or version details are not publicly documented, so all current installations should be reviewed for missing authentication.

Risk and Exploitability

The CVSS score of 9.3 signals a high‑severity risk, though the EPSS score of less than 1 % indicates a low exploitation probability and the vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is remote, leveraging the network to reach the WebSocket endpoint. An attacker who knows a charging station identifier can establish a session, send arbitrary OCPP commands, and thereby elevate privileges to that station level.

Generated by OpenCVE AI on April 17, 2026 at 14:09 UTC.

Remediation

Vendor Workaround

SWITCH EV did not respond to CISA's request for coordination. Contact SWITCH EV using their contact page here: https://swtchenergy.com/contact/ for more information.

OpenCVE Recommended Actions

  • Contact SWITCH EV via their contact page at https://swtchenergy.com/contact/ to obtain a patch or to report the issue.
  • Implement strong authentication for all OCPP WebSocket endpoints, ensuring that only authorized clients can initiate connections.
  • Restrict network access to the WebSocket service to trusted IP ranges or use network segmentation so that only internal components and authenticated devices can reach it.
  • Enable logging of all OCPP command traffic, monitor for anomalous usage, and apply rate limiting or intrusion detection to mitigate potential abuse.

Generated by OpenCVE AI on April 17, 2026 at 14:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Swtchenergy
Swtchenergy swtchenergy.com
CPEs cpe:2.3:a:swtchenergy:swtchenergy.com:*:*:*:*:*:*:*:*
Vendors & Products Swtchenergy
Swtchenergy swtchenergy.com

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Switch Ev
Switch Ev swtchenergy.com
Vendors & Products Switch Ev
Switch Ev swtchenergy.com

Fri, 27 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Title SWITCH EV swtchenergy.com Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Switch Ev Swtchenergy.com
Swtchenergy Swtchenergy.com
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-05T20:43:40.109Z

Reserved: 2026-02-23T23:48:14.385Z

Link: CVE-2026-27767

cve-icon Vulnrichment

Updated: 2026-03-02T20:36:51.864Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:58.073

Modified: 2026-03-05T21:16:17.993

Link: CVE-2026-27767

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses