Description
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Published: 2026-06-25
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the WebSocket backend of the EVoke CSMS, where charging station identifiers are meant to uniquely associate a session but the implementation permits multiple connections using the same session identifier. This predictable session management allows an attacker to impersonate a charger or to flood the backend with valid session requests, potentially leading to unauthorized authentication or a denial‑of‑service condition. The weakness is a lack of proper session expiration and uniqueness enforcement, classifying under CWE‑613.

Affected Systems

The affected product is EVoke CSMS from EVoke. No specific product versions are mentioned in the current information, so an assessment of which firmware revisions are impacted cannot be performed.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote over the WebSocket traffic used for OCPP communication, as the flaw is limited to the WebSocket backend and requires network access to the CSMS.

Generated by OpenCVE AI on June 25, 2026 at 22:25 UTC.

Remediation

Vendor Solution

EVoke states that as a hardware-agnostic platform supporting multiple charger Original Equipment Manufacturers OEMs, EVoke must interoperate with EVSE devices that support different OCPP security profiles depending on the firmware capabilities of the charger. EVoke CSMS currently supports all OCPP security profiles (0–3). However, the effective security configuration for a charger connection is determined by the security profile implemented in the EVSE firmware. Some legacy chargers deployed in the network support only Security Profile 0 or 1. These chargers were installed prior to the broader industry adoption of stronger authentication mechanisms defined in OCPP Security Profiles 2 and 3. EVoke is actively working with charger OEM partners to migrate supported devices to Security Profile 2 (TLS encryption with basic authentication) or Security Profile 3 (Mutual TLS authentication using client certificates). For OEMs that continue to support firmware updates, EVoke will prioritize upgrades to enable Security Profiles 2 or 3.

Vendor Workaround

EVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers.

OpenCVE Recommended Actions

  • Update or install the vendor‑provided CSMS patch that enables OCPP Security Profile 2 or 3 for all connected chargers, or apply an allow‑list that accepts only registered charger identifiers for legacy devices that cannot be upgraded
  • Configure the CSMS to enforce a single active connection per charger ID, rejecting or terminating any duplicate sessions and monitoring for anomalous connection patterns such as repeated attempts or IP address changes
  • Enable WebSocket gateway rate limiting to curb excessive connection attempts and mitigate the risk of denial‑of‑service; regularly review security logs for flagged events

Generated by OpenCVE AI on June 25, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Title EVoke Systems EVoke CSMS Insufficient Session Expiration
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-25T20:56:37.572Z

Reserved: 2026-06-18T19:23:06.061Z

Link: CVE-2026-54479

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration