Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.
Published: 2026-06-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a lack of proper authentication on WebSocket endpoints used by the EVoke CSMS platform, allowing an attacker to impersonate a charging station. An adversary can connect without credentials and issue any commands or retrieve sensitive data, effectively escalating privileges and potentially compromising the entire electric vehicle supply equipment management system. This flaw is identified as CWE-306, "Incorrect Authentication," illustrating the failure to enforce sufficient identity verification at the communication layer.

Affected Systems

The affected product is EVoke Systems' EVoke CSMS platform, which supports WebSocket communication for charging stations. No specific version information is provided, implying that all current releases of EVoke CSMS that expose WebSocket endpoints without authentication are vulnerable. Users running EVoke CSMS, regardless of the underlying charger hardware, should assess whether their deployment uses the default unsecured WebSocket connections.

Risk and Exploitability

The CVSS score of 9.3 highlights a high severity, and although the EPSS score is not available, the lack of authentication gives adversaries an obvious attack path with low effort. The vulnerability is not listed in CISA’s KEV catalog, but the combination of high impact and straightforward exploitation makes it a priority for remediation. Attackers can simply open a WebSocket connection, spoof a charger identifier, and send authorized commands, leading to data theft or command injection. The EVoke-provided workaround recommends enforcing a single active connection per charger ID, rejecting unknown IDs from an allow-list, and implementing rate limiting at the gateway; these mitigations reduce but do not eliminate the risk until stronger TLS-based authentication (OCPP Security Profiles 2 or 3) is in place.

Generated by OpenCVE AI on June 25, 2026 at 22:24 UTC.

Remediation

Vendor Solution

EVoke states that as a hardware-agnostic platform supporting multiple charger Original Equipment Manufacturers OEMs, EVoke must interoperate with EVSE devices that support different OCPP security profiles depending on the firmware capabilities of the charger. EVoke CSMS currently supports all OCPP security profiles (0–3). However, the effective security configuration for a charger connection is determined by the security profile implemented in the EVSE firmware. Some legacy chargers deployed in the network support only Security Profile 0 or 1. These chargers were installed prior to the broader industry adoption of stronger authentication mechanisms defined in OCPP Security Profiles 2 and 3. EVoke is actively working with charger OEM partners to migrate supported devices to Security Profile 2 (TLS encryption with basic authentication) or Security Profile 3 (Mutual TLS authentication using client certificates). For OEMs that continue to support firmware updates, EVoke will prioritize upgrades to enable Security Profiles 2 or 3.

Vendor Workaround

EVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers.

OpenCVE Recommended Actions

  • Enforce the EVoke CSMS allow‑list protection so that only charger IDs registered in the CSMS inventory database are accepted and reject any unknown or spoofed identifiers.
  • Implement the vendor’s single‑active‑session rule: drop any new connection that duplicates an existing charger ID or terminate the previous session, and apply WebSocket gateway rate limiting to block abusive connection attempts.
  • Monitor logged security events for repeated connection attempts, IP changes, or abnormal message patterns and investigate any flagged anomalies promptly.
  • Plan and execute charger firmware upgrades to OCPP Security Profile 2 or 3 where supported, so that TLS encryption and mutual authentication replace the current unauthenticated WebSocket communication.
  • For legacy chargers that cannot receive firmware updates, apply EVoke’s lifecycle policy: identify unsupported models, classify risk, and coordinate migration or replacement with site operators.

Generated by OpenCVE AI on June 25, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.
Title EVoke Systems EVoke CSMS Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-25T20:59:53.495Z

Reserved: 2026-06-18T19:23:06.055Z

Link: CVE-2026-40702

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function