Critical Flaws in EV Energy Platform Expose Charging Grids to Remote Takeover

The rapid expansion of Electric Vehicle (EV) infrastructure is transforming the transportation landscape, but it also introduces a rapidly expanding attack surface for threat actors targeting critical energy systems. Today, we are analyzing a concerning set of vulnerabilities identified in the EV Energy ev.energy platform. These flaws, detailed in a recent CISA advisory, highlight significant weaknesses in how charging stations authenticate and communicate with central management systems.

The Threat Landscape

EV Energy ev.energy is a software platform used to manage EV charging networks. It relies on the Open Charge Point Protocol (OCPP), typically transported over WebSockets, to facilitate communication between charging stations and the backend server. Researchers Khaled Sarieddine and Mohammad Ali Sayed discovered that the implementation of these protocols in the EV Energy platform is fundamentally insecure across all versions (vers:all/*).

Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative control over charging stations or disrupt charging services through denial-of-service (DoS) attacks. Given that the Energy and Transportation sectors are designated as Critical Infrastructure, the stakes are incredibly high.

Vulnerability Deep Dive

CISA has assigned four CVEs to this cluster of issues. We have broken down the mechanics of each flaw below to help your security team understand the risks.

1. CVE-2026-27772 (CVSS 9.4 CRITICAL) – Missing Authentication

The most severe flaw lies in the WebSocket endpoints used for OCPP communication. The platform lacks proper authentication mechanisms, meaning it does not verify who is connecting to the backend.

• The Attack Vector: An attacker needs only a Charging Station Identifier (often predictable or observable) to connect to the OCPP WebSocket endpoint.
• The Impact: Without authentication, the attacker can impersonate a legitimate charger. This allows them to send manipulated data to the backend, issue unauthorized commands, or disrupt the charging network's integrity. This is a textbook example of CWE-306 (Missing Authentication for Critical Function).

2. CVE-2026-24445 (CVSS 7.5 HIGH) – Lack of Rate Limiting

The WebSocket API does not restrict the number of authentication requests.

• The Attack Vector: An attacker can flood the system with connection attempts.
• The Impact: This facilitates two main attack types: brute-force attacks to guess identifiers and DoS attacks that suppress legitimate telemetry data from actual chargers, effectively taking them offline.

3. CVE-2026-26290 (CVSS 7.3 HIGH) – Session Hijacking via "Shadowing"

The backend uses charging station identifiers to manage sessions but fails to validate the uniqueness of the connection.

• The Attack Vector: Because session identifiers are predictable, an attacker can connect using the same ID as an active charging station. The platform accepts the most recent connection, displacing the legitimate one (a technique known as "session shadowing").
• The Impact: The attacker receives backend commands intended for the physical charger and can cause a DoS condition by overwhelming the backend with conflicting session data.

4. CVE-2026-25774 (CVSS 6.5 MEDIUM) – Exposed Credentials

Perhaps the most operational failure is that charging station authentication identifiers have been found publicly accessible via web-based mapping platforms.

• The Impact: This significantly lowers the barrier to entry for the attacks described above, as attackers do not need to guess or brute-force identifiers—they can simply scrape them from public maps.

Vendor Status and Risk Assessment

A critical note for security operators: EV Energy did not respond to CISA's request for coordination. This lack of communication means there is no official vendor patch or confirmed timeline for remediation at the time of this advisory. This places the burden of defense entirely on the network operators and SOC teams utilizing this software.

Detection and Threat Hunting

Given the lack of vendor patches, network visibility is your primary defense. SOC teams should monitor for anomalies in WebSocket traffic and OCPP protocol usage. Below are queries and scripts to assist in hunting for these specific behaviors.

Hunting for Unusual WebSocket Connections (KQL)

Use this query in Microsoft Sentinel or Defender to detect an unusually high volume of WebSocket connections or connections from unexpected IPs to known EV Energy management endpoints.

DeviceNetworkEvents
| where RemotePort in (443, 80, 8080, 9000) // Common WebSocket ports, adjust as needed
| where Protocol has "TCP" 
| extend ParsedURL = parse_url(RemoteUrl)
| where isnotempty(ParsedURL.Host)
| // Filter for known EV Energy endpoints if available, otherwise look for OCPP patterns
| where ParsedUrl has "ev.energy" or ParsedUrl has "ocpp" 
| summarize ConnectionCount = count(), DistinctIPs = dcount(SourceIP), make_set(SourceIP) by ParsedURL.Host, bin(Timestamp, 1h)
| where ConnectionCount > 100 // Threshold tuning required based on baseline
| order by ConnectionCount desc

Checking for Exposed Identifiers (Bash)

While you cannot scrub the internet, you can ensure your internal asset management does not leak these identifiers. This script checks for common configuration files that might contain exposed identifiers on your internal servers.

grep -r -i --include="*.conf" --include="*." --include="*.yaml" "chargeBoxId" /etc/ev-config 2>/dev/null
if [ $? -eq 0 ]; then
    echo "[ALERT] Potential charging station identifiers found in configuration files."
else
    echo "[INFO] No explicit identifiers found in common config paths."
fi

Python Script to Simulate Connection Audit

This script can be used by your Red Team or vulnerability management group to audit if your endpoints are susceptible to authentication bypass (CVE-2026-27772). Use only on systems you own or have explicit permission to test.

import websockets
import asyncio
import sys

TARGET_URI = "wss://your-target-ev-energy-endpoint.com/ocpp" # Replace with actual target
STATION_ID = "PREDICTABLE_ID_HERE" # Replace with a known or guessed ID

async def check_auth_bypass():
    try:
        # Attempt to connect without auth headers using a known ID
        uri = f"{TARGET_URI}?stationId={STATION_ID}"
        print(f"[*] Attempting connection to {uri}...")
        async with websockets.connect(uri) as websocket:
            print("[!] Connection Established: Authentication Bypass Likely!")
            # In a real attack, OCPP JSON messages would be sent here
    except Exception as e:
        print(f"[-] Connection Failed: {e}")

if __name__ == "__main__":
    asyncio.get_event_loop().run_until_complete(check_auth_bypass())

Mitigation Strategies

Since vendor patches are not currently available, CISA recommends the following defensive measures to minimize the risk of exploitation:

1. Network Segmentation: Minimize network exposure for all control system devices. Ensure charging station controllers and management servers are not accessible from the open Internet.
2. Firewall Isolation: Locate control system networks and remote devices behind firewalls, isolating them from the business network.
3. Secure Remote Access: If remote access is strictly required, utilize VPNs. However, ensure the VPN solution is fully updated, recognizing that the VPN is only as secure as the devices connected to it.
4. Ingress/Egress Filtering: Implement strict firewall rules to only allow necessary OCPP traffic from known IP addresses (allow-listing) to the management backend.

Conclusion

The vulnerabilities in EV Energy serve as a stark reminder that as our physical infrastructure becomes smarter, it also becomes more vulnerable. The convergence of IT and OT in the EV sector requires a heightened state of vigilance. Until the vendor provides a patch, robust network architecture and aggressive threat hunting are your best defenses against these critical threats.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub