Description
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Published: 2026-06-25
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from charger authentication identifiers that are publicly accessible via web‑based mapping platforms. Compromise of these credentials can allow an attacker to spoof a legitimate charger, establish unauthorized sessions, and potentially disrupt charging operations. This represents an instance of CWE‑522, where insufficiently protected credentials facilitate impersonation attacks.

Affected Systems

All deployments of EVoke’s EVoke CSMS are affected, particularly environments that still operate legacy chargers capable of only OCPP Security Profiles 0 or 1. The vulnerability applies regardless of the CSMS version, as the issue stems from the lack of secure credential handling rather than a specific code defect.

Risk and Exploitability

The CVSS score of 6.9 classifies the issue as medium severity, and the EPSS score is not available, indicating limited current exploitation data. Because the attack vector would rely on publicly discoverable identifiers, an adversary could perform connection attempts over the network to impersonate a charger. No public exploit is listed, and the vulnerability is not part of CISA’s KEV catalog. Nonetheless, the potential for spoofing and denial‑of‑service through repeated authentication attempts justifies monitoring and mitigation.

Generated by OpenCVE AI on June 25, 2026 at 22:27 UTC.

Remediation

Vendor Solution

EVoke states that as a hardware-agnostic platform supporting multiple charger Original Equipment Manufacturers OEMs, EVoke must interoperate with EVSE devices that support different OCPP security profiles depending on the firmware capabilities of the charger. EVoke CSMS currently supports all OCPP security profiles (0–3). However, the effective security configuration for a charger connection is determined by the security profile implemented in the EVSE firmware. Some legacy chargers deployed in the network support only Security Profile 0 or 1. These chargers were installed prior to the broader industry adoption of stronger authentication mechanisms defined in OCPP Security Profiles 2 and 3. EVoke is actively working with charger OEM partners to migrate supported devices to Security Profile 2 (TLS encryption with basic authentication) or Security Profile 3 (Mutual TLS authentication using client certificates). For OEMs that continue to support firmware updates, EVoke will prioritize upgrades to enable Security Profiles 2 or 3.

Vendor Workaround

EVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers.

OpenCVE Recommended Actions

  • Migrate all supported chargers to OCPP Security Profile 2 or 3 to enforce TLS or mutual TLS authentication and eliminate reliance on exposed identifiers.
  • Enable server‑side allowlisting of charger IDs so only pre‑registered chargers are accepted and reject unknown IDs.
  • Deploy connection rate limiting and session anomaly monitoring at the WebSocket gateway to prevent replay or duplicate session attacks.

Generated by OpenCVE AI on June 25, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Title EVoke Systems EVoke CSMS Insufficiently Protected Credentials
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-25T20:53:17.163Z

Reserved: 2026-06-18T19:23:06.063Z

Link: CVE-2026-44622

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses
  • CWE-522

    Insufficiently Protected Credentials