Description
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access.
Published: 2026-06-25
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WebSocket API of the EVoke CSMS does not limit the number of authentication requests, allowing an attacker to repeatedly attempt credential verification. This flaw can be used to flood the service with connection attempts, exhausting resources and causing a denial-of-service, or to brute-force valid credentials, thereby gaining unauthorized access. Based on the description, the vulnerability can be exploited remotely via the WebSocket gateway, which is exposed to the network where EVSEs connect.

Affected Systems

The affected product is the EVoke EVoke CSMS platform, particularly systems that interface with chargers running OCPP Security Profile 0 or 1. These legacy or unsupported chargers lack stronger security measures such as TLS or mutual authentication, leaving the CSMS susceptible to the described authentication flood. The issue applies to any installation that has not migrated to Security Profile 2 or 3 and has not implemented server‑side restrictions on charger identifiers.

Risk and Exploitability

The CVSS score of 8.7 signifies a high severity risk. The EPSS score is not available, so the current data does not indicate a measured probability of exploitation, but the lack of rate limiting inherently increases the opportunity for attackers to launch brute-force or denial‑of‑service attacks. The vulnerability is not listed in CISA’s KEV catalog, yet the combination of high severity and remote access potential warrants immediate attention.

Generated by OpenCVE AI on June 25, 2026 at 22:25 UTC.

Remediation

Vendor Solution

EVoke states that as a hardware-agnostic platform supporting multiple charger Original Equipment Manufacturers OEMs, EVoke must interoperate with EVSE devices that support different OCPP security profiles depending on the firmware capabilities of the charger. EVoke CSMS currently supports all OCPP security profiles (0–3). However, the effective security configuration for a charger connection is determined by the security profile implemented in the EVSE firmware. Some legacy chargers deployed in the network support only Security Profile 0 or 1. These chargers were installed prior to the broader industry adoption of stronger authentication mechanisms defined in OCPP Security Profiles 2 and 3. EVoke is actively working with charger OEM partners to migrate supported devices to Security Profile 2 (TLS encryption with basic authentication) or Security Profile 3 (Mutual TLS authentication using client certificates). For OEMs that continue to support firmware updates, EVoke will prioritize upgrades to enable Security Profiles 2 or 3.

Vendor Workaround

EVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers.

OpenCVE Recommended Actions

  • Migrate chargers and the CSMS to OCPP Security Profile 2 (TLS with basic authentication) or Profile 3 (mutual TLS with client certificates) as soon as firmware updates allow.
  • Configure the CSMS to accept connection requests only from allow‑listed charger IDs stored in the inventory database, rejecting any unregistered identifiers.
  • Implement WebSocket‑level connection rate limiting at the gateway, throttling excessive authentication attempts from the same source and temporarily blocking abusive traffic patterns.
  • Continuously monitor session anomalies, including repeated connection attempts, sudden IP changes, and abnormal message flows, and flag incidents for operational review.
  • Develop and enforce a lifecycle policy for legacy chargers that cannot support modern security profiles, including identification of unsupported models, risk classification, and coordinated migration or decommissioning with site operators.

Generated by OpenCVE AI on June 25, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access.
Title EVoke Systems EVoke CSMS Improper Restriction of Excessive Authentication Attempts
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-25T20:58:29.541Z

Reserved: 2026-06-18T19:23:06.058Z

Link: CVE-2026-50176

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses
  • CWE-307

    Improper Restriction of Excessive Authentication Attempts