Critical EV2GO Flaws Expose Charging Infrastructure to Remote Takeover

The rapid expansion of Electric Vehicle (EV) infrastructure is transforming the transportation sector, but this digital evolution brings with it a growing attack surface that is often overlooked. As managed security experts, we are increasingly seeing Operational Technology (OT) and consumer IoT converge in ways that introduce significant risk.

A recent advisory from CISA highlights this danger perfectly. Four critical vulnerabilities have been identified in EV2GO’s ev2go.io charging station management software. These flaws allow attackers to impersonate charging stations, hijack user sessions, and disrupt power delivery—all without a sophisticated skillset.

Most concerningly, CISA notes that EV2GO did not respond to coordination requests. This lack of vendor response places the burden of defense entirely on the operators and network administrators deploying these systems.

The Vulnerability Landscape

The vulnerabilities (CVE-2026-24731, CVE-2026-25945, CVE-2026-20895, CVE-2026-22890) stem from fundamental failures in the implementation of the Open Charge Point Protocol (OCPP) over WebSockets. The affected software versions are listed as ev2go.io vers:all/*, implying a universal risk across the deployment base.

1. The Open Door: Missing Authentication (CVE-2026-24731)

CVSS Score: 9.4 (CRITICAL)

This is the most severe flaw. The WebSocket endpoints used for communication between the charger and the backend lack proper authentication. An attacker needs only to discover a charging station identifier (which is easier than it sounds, see below) to connect to the backend.

Once connected, the backend believes the attacker is a legitimate physical charger. This allows the threat actor to:

• Impersonate Infrastructure: Send fake telemetry or status updates.
• Manipulate Data: Corrupt reporting data used for billing or grid load balancing.
• Privilege Escalation: Gain unauthorized control over the charging network management logic.

2. Session Hijacking and "Shadowing" (CVE-2026-20895)

CVSS Score: 7.3 (HIGH)

The software uses charging station IDs to associate sessions but fails to enforce exclusivity. This vulnerability enables "session shadowing." If an attacker connects using the same ID as an active charger, the backend may treat the attacker’s connection as the valid one, displacing the legitimate hardware. This effectively creates a Denial of Service (DoS) for the actual user and hands control of the session to the attacker.

3. The DoS Vector: Brute Force and Flooding (CVE-2026-25945)

CVSS Score: 7.5 (HIGH)

There are no rate limits on authentication requests. While the primary flaw (CVE-2026-24731) often negates the need for brute-forcing credentials, this vulnerability allows attackers to flood the system with requests. This can suppress legitimate telemetry or exhaust backend resources, causing large-scale outages.

4. OSINT Fail: Exposed Credentials (CVE-2026-22890)

CVSS Score: 6.5 (MEDIUM)

Charging station identifiers are publicly accessible via web-based mapping platforms. This removes the "discovery" phase of the attack chain. Attackers can simply harvest valid IDs from public maps and feed them directly into the exploits mentioned above.

Detection and Threat Hunting

Since EV2GO has not provided a patch, detection relies heavily on identifying anomalous behavior on the network. Security teams should monitor for unexpected WebSocket connections and session anomalies.

Hunting for Anomalous OCPP Connections (KQL)

Use this KQL query in Microsoft Sentinel to detect multiple distinct IP addresses connecting to your EV management backend using the same Charging Station ID, which indicates potential session hijacking or impersonation.

let EVBackendIPs = dynamic(["192.168.1.10", "10.0.0.5"]); // Replace with your actual backend IPs
let TimeWindow = 1h;
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where RemoteIP in (EVBackendIPs)
| where LocalPort in (80, 443, 8000, 8080) // Common WebSocket ports, adjust to your environment
| extend ChargingID = extract_("$.chargeBoxIdentity", AdditionalFields, typeof(string)) // Adjust based on actual log parsing if JSON payload is logged
| where isnotnull(ChargingID)
| summarize Count = dcount(SourceIP), IPs = make_set(SourceIP) by ChargingID, bin(Timestamp, 5m)
| where Count > 1
| project Timestamp, ChargingID, IPs, Count
| order by Count desc

Network Scanning for Exposure (Bash)

Administrators should verify that their charging station management interfaces are not exposed directly to the public internet. This bash script uses nmap to check for open WebSocket ports on a target range.

#!/bin/bash
# Scan for open WebSocket ports (default 80/443 or custom OCPP ports) on target subnets
TARGET_RANGE="192.168.100.0/24" # Adjust to your EV subnet
REPORT_FILE="ev2go_scan_$(date +%Y%m%d).txt"

echo "Scanning $TARGET_RANGE for potential WebSocket exposure..." > $REPORT_FILE

# Common OCPP/WS ports - adjust as necessary for your deployment
PORTS="80,443,8080,8000"

nmap -sV -p $PORTS --open -oG - $TARGET_RANGE | grep "open" >> $REPORT_FILE

echo "Scan complete. Results saved to $REPORT_FILE"

Mitigation Strategies

Without a vendor patch, the focus must shift to network containment and monitoring.

1. Network Segmentation (Crucial): EV charging stations should reside on an isolated VLAN, strictly separated from the corporate business network and the open internet.

2. Firewall Rules: Implement strict egress and ingress firewall rules. Only allow the charging stations to communicate with the central management backend on specific ports. Block all other internet traffic originating from the chargers.

3. VPNs for Management: If remote access to the charging stations is required for maintenance, ensure it is conducted exclusively over a secured VPN with Multi-Factor Authentication (MFA), not via public IP addresses.

4. Deep Packet Inspection (DPI): Utilize next-generation firewalls or IDS/IPS solutions to inspect OCPP traffic. Look for protocol violations or unexpected command bursts that might indicate an active exploitation attempt.

5. Disable Public Mapping: If possible, work with the vendor to obscure station identifiers from public mapping platforms, or implement internal identifiers that differ from public serial numbers.

Conclusion

The EV2GO situation is a cautionary tale for the OT and IoT sectors. The convergence of physical infrastructure and web-based protocols introduces risks that traditional IT security teams may not be accustomed to handling. When vendors go silent, proactive network hygiene and aggressive monitoring become your only line of defense.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub