As the world accelerates toward electrified transportation, the security of the underlying charging infrastructure has become a paramount concern. Recently, CISA issued a stark warning regarding multiple vulnerabilities in Mobiliti’s e-mobi.hu electric vehicle (EV) charging software. These aren't minor bugs; they are critical design flaws that could allow malicious actors to hijack charging sessions, disrupt power delivery, and corrupt operational data.
Because the vendor has reportedly not responded to coordination efforts, the onus falls heavily on infrastructure operators to secure their environments immediately. Here is our deep dive into the risks and the defensive maneuvers required to keep the grid—and your fleet—safe.
The Threat Landscape: Unplugged and Unprotected
The Mobiliti e-mobi.hu platform manages EV charging stations, specifically communicating via the Open Charge Point Protocol (OCPP). The core issue lies in the implementation of WebSocket endpoints, which serve as the communication channel between the charging station and the central backend system.
The vulnerabilities—tracking as CVE-2026-26051, CVE-2026-20882, CVE-2026-27764, and CVE-2026-27777—collectively create a perfect storm. Attackers can exploit these flaws to bypass authentication checks, overwhelm systems with traffic, or effectively "shadow" a legitimate charging station to intercept commands.
Technical Analysis: Breaking Down the CVEs
To understand the severity, we must look at the specific mechanics of these flaws:
1. The Open Door (CVE-2026-26051 - CVSS 9.4 CRITICAL) This is the most concerning vulnerability. The WebSocket endpoints responsible for OCPP communication lack proper authentication mechanisms. In a secure environment, a charger should authenticate itself using strong credentials (certificates or tokens). In this case, an attacker only needs to know the Charging Station Identifier—which is often predictable or publicly visible—to connect to the backend. Once connected, they can issue commands as if they were the physical hardware, potentially granting unauthorized administrative control over the charging infrastructure.
2. The Denial of Service Vector (CVE-2026-20882 - CVSS 7.5 HIGH) The system lacks rate limiting on authentication requests. An attacker can flood the WebSocket API with connection attempts or authentication tries. This not only facilitates brute-force attacks on any weak endpoints that might exist but also allows for DoS attacks by suppressing legitimate telemetry data from actual chargers. If the backend cannot hear the chargers, the grid goes dark.
3. Session Shadowing (CVE-2026-27764 - CVSS 7.3 HIGH) The backend uses Charging Station IDs to manage sessions but allows multiple endpoints to bind to the same ID simultaneously. The implementation favors the "most recent" connection. This enables a "session hijacking" or "shadowing" attack where an attacker connects, kicks the real charger offline, and receives all the backend commands intended for that hardware. The real charger is left stranded, while the attacker controls the session.
4. Exposed Credentials (CVE-2026-27777 - CVSS 6.5 MEDIUM) The very identifiers needed to launch the attacks described above are often exposed via web-based mapping platforms. This reconnaissance step is trivialized for attackers, providing them with a target list of valid IDs.
Detection and Threat Hunting
Given that Mobiliti has not released a patch, detection of exploitation attempts is vital. Security teams should monitor network traffic for anomalies in OCPP communication, specifically looking for multiple source IPs connecting to the same session ID or unauthorized connection attempts.
KQL Query (Sentinel/Defender) Detect session shadowing by monitoring for multiple distinct source IPs connecting to the same Charging Station ID within a short time window.
let TimeWindow = 1h;
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where RemotePort in (8000, 8081, 9000) // Common OCPP WebSocket ports, adjust as needed
| extend ChargingStationID = extract(@"StationID=([^&]+)", 1, RequestURL)
| where isnotempty(ChargingStationID)
| summarize ConnectionCount = dcount(SourceIP), IPList = make_set(SourceIP) by ChargingStationID, bin(Timestamp, 10m)
| where ConnectionCount > 1
| project Timestamp, ChargingStationID, ConnectionCount, IPList
| order by ConnectionCount desc
**Bash Script: Network Exposure Check**
Administrators can use this simple nmap script to check if their charging station management interfaces are exposed to the internet, which is a primary factor in reducing the attack surface.
#!/bin/bash
# List of target charging station controller IPs
TARGETS=("192.168.1.100" "192.168.1.101")
# Common OCPP/WebSocket ports
PORTS=("8000" "8081" "443")
echo "Scanning for exposed OCPP/WebSocket ports..."
for ip in "${TARGETS[@]}"; do
echo "Checking host: $ip"
for port in "${PORTS[@]}"; do
timeout 1 bash -c "cat < /dev/null > /dev/tcp/$ip/$port" 2>/dev/null && echo "[!] Port $port is OPEN on $ip" || echo "[-] Port $port is closed on $ip"
done
done
Mitigation Strategies
With no vendor patch available, defensive measures must focus on network architecture and access control.
-
Network Isolation (Segmentation): This is the most effective mitigation. Ensure charging stations are on a dedicated VLAN or ICS network, strictly separated from the corporate business network and the public internet.
-
Firewall Rules: Implement strict firewall policies that only allow outbound WebSocket connections from the charging stations to the specific backend IP addresses. Block all unsolicited inbound connections to the charging stations.
-
VPN Enforcement: If remote access is absolutely necessary for maintenance, ensure it is routed through a secure VPN with Multi-Factor Authentication (MFA). Do not rely on the application's authentication.
-
Deep Packet Inspection (DPI): Utilize IDS/IPS signatures to detect malformed OCPP packets or anomalous WebSocket traffic patterns indicative of brute-forcing.
The Mobiliti situation serves as a reminder that IoT and OT devices often lag behind traditional IT in security maturity. Until patches are available, "Zero Trust" and network hardening are your only shields.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.