Description
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
Published: 2026-02-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized control of charging infrastructure via unauthenticated WebSocket access
Action: Assess Impact
AI Analysis

Impact

The vulnerability arises from missing authentication on WebSocket endpoints used by the EV Energy ev.energy platform. An attacker who can reach the OCPP WebSocket can connect using a known or guessed charging station identifier and issue or receive commands as if it were a legitimate charger. This flaw enables unauthorized control of charging infrastructure, potential privilege escalation, and corruption of data reported to the backend. The weakness is classified as CWE‑306 and leads to severe integrity, availability, and potentially confidentiality impacts.

Affected Systems

The affected system is the EV Energy ev.energy product. No version information is supplied, which implies that all current releases are vulnerable until an official fix is released. The platform exposes OCPP WebSocket endpoints over the network, allowing attackers to target any station identifier known to an attacker.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. The EPSS score is below 1 % and the issue is not yet in the CISA KEV catalog, suggesting low current exploitation probability, but the attack vector is straightforward: any network actor able to reach the WebSocket endpoint can exploit the flaw with only knowledge of a station identifier. Because authentication is absent, an attacker can impersonate a charger and modify commands, leading to unauthorized control of the charging process and data integrity compromise.

Generated by OpenCVE AI on April 16, 2026 at 15:46 UTC.

Remediation

Vendor Workaround

EV Energy did not respond to CISA's request for coordination. Contact EV Energy using their contact page here: https://www.ev.energy/en-us for more information.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied updates that enforce authentication on OCPP WebSocket endpoints.
  • Implement authentication mechanisms (for example TLS client certificates or token validation) for all WebSocket connections to ensure only legitimate chargers can connect.
  • Restrict network access to the OCPP WebSocket ports using firewall rules or network segmentation, allowing only trusted infrastructure components or authentic chargers to reach the service.
  • Contact EV Energy via their support contact page to obtain guidance on interim mitigations or a patch.

Generated by OpenCVE AI on April 16, 2026 at 15:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Mon, 02 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Ev.energy
Ev.energy ev.energy
CPEs cpe:2.3:a:ev.energy:ev.energy:*:*:*:*:*:*:*:*
Vendors & Products Ev.energy
Ev.energy ev.energy

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Ev Energy
Ev Energy ev.energy
Vendors & Products Ev Energy
Ev Energy ev.energy

Fri, 27 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Title EV Energy ev.energy Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Ev.energy Ev.energy
Ev Energy Ev.energy
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-05T20:45:17.841Z

Reserved: 2026-02-24T00:16:49.691Z

Link: CVE-2026-27772

cve-icon Vulnrichment

Updated: 2026-03-02T20:09:00.611Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:58.250

Modified: 2026-03-05T21:16:18.193

Link: CVE-2026-27772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses