The vulnerability arises from insufficient protection of charging station authentication identifiers. These identifiers are publicly accessible through web‑based mapping platforms, enabling an attacker to view the credentials that grant access to individual stations. With the credentials in hand, an adversary could potentially gain unauthorized control over charging station operations, leading to service disruption or misuse of the station for illicit charging services. This weakness is classified under CWE‑522, which deals with insufficiently protected credentials.

The affected vendor is SWITCH EV, specifically the swtchenergy.com platform that manages electric vehicle charging stations. All product versions linked to this vendor and product are potentially impacted, as no specific version details are provided. Therefore, any deployed devices or web services associated with this platform should be considered vulnerable until a vendor update or configuration change is applied.

The CVSS score of 6.9 indicates a moderate severity for the knowledge or possession of authentication identifiers. Exploitation is remote and may be achieved simply by accessing the public mapping platform, but the EPSS score is less than 1%, suggesting a low likelihood of real‑world exploitation at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, further indicating that no active exploits have been reported yet. Nonetheless, the attack vector is accessible over the internet and could enable an attacker to obtain credentials, which may cascade into unauthorized control of charging stations or denial of service if credentials are reused or stateful sessions are hijacked.