Critical Flaws in EV Energy Platform Expose Charging Infrastructure to Remote Takeover

As the global push for electric vehicle (EV) adoption accelerates, the security of the charging infrastructure has become a paramount concern for the Energy and Transportation sectors. Recently, CISA released an advisory detailing multiple severe vulnerabilities in EV Energy ev.energy, a platform widely used to manage EV charging stations. These flaws expose a harsh reality: our modern charging ecosystem is susceptible to classic web application vulnerabilities that can lead to unauthorized administrative control and service disruption.

At Security Arsenal, we have analyzed these vulnerabilities to help your organization understand the risk landscape and defend against potential exploitation.

Vulnerability Analysis: A Breakdown of the Threats

The advisory identifies four CVEs, all affecting versions vers:all/* of the EV Energy ev.energy platform. The most critical issue stems from a lack of authentication on key communication channels.

1. Unauthenticated Remote Control (CVE-2026-27772)

CVSS Score: 9.4 (CRITICAL)

This is the most severe flaw in the suite. The WebSocket endpoints, which handle the Open Charge Point Protocol (OCPP), lack proper authentication mechanisms. In a properly secured environment, a charging station must prove its identity to the backend before issuing or receiving commands.

Due to this missing authentication, an attacker can connect to the OCPP WebSocket endpoint using a known or guessed charging station identifier (Box ID). Once connected, they can impersonate a legitimate charger. This allows the attacker to:

• Manipulate charging state (start/stop charging).
• Corrupt backend data.
• Escalate privileges and gain administrative control over the charging network.

2. Session Hijacking and Shadowing (CVE-2026-26290)

CVSS Score: 7.3 (HIGH)

The platform utilizes charging station identifiers to uniquely associate sessions. However, the implementation is flawed: it allows multiple endpoints to connect using the same session identifier and fails to invalidate old sessions properly. This leads to predictable session identifiers and enables "session shadowing."

In this attack scenario, a malicious actor connects to the backend using the ID of an active charging station. The most recent connection displaces the legitimate station, meaning the attacker now receives the commands intended for the physical hardware. This effectively creates a Denial-of-Service (DoS) condition for the legitimate user while giving the attacker full visibility of the station's instructions.

3. Denial-of-Service via Flooding (CVE-2026-24445)

CVSS Score: 7.5 (HIGH)

The WebSocket API lacks restrictions on the number of authentication requests—essentially, there is no rate limiting. This opens the door for two primary attack vectors:

1. Brute-force attacks: Attackers can hammer the endpoint with guesses for station identifiers.
2. DoS attacks: By flooding the WebSocket endpoint with connection requests, an attacker can suppress legitimate telemetry from chargers, causing the management platform to lose visibility or control over the fleet.

4. Exposed Credentials via OSINT (CVE-2026-25774)

CVSS Score: 6.5 (MEDIUM)

Operational Security (OpSec) failures are often just as damaging as software bugs. In this case, charging station authentication identifiers have been found publicly accessible via web-based mapping platforms. This significantly lowers the barrier to entry for the attacks described above, as attackers do not need to guess or scan for IDs—they can simply scrape them from public maps.

Detection and Threat Hunting

Detecting exploitation of these vulnerabilities requires monitoring network traffic specifically for WebSocket anomalies and OCPP protocol manipulation. Since the vendor did not coordinate with CISA, specific Indicators of Compromise (IOCs) are scarce, making behavioral detection essential.

KQL Query for Sentinel/Defender

Use the following query to hunt for suspicious WebSocket connection attempts to your EV Energy management infrastructure, specifically looking for sources that should not be communicating with the charging backend or high volumes of connection failures indicative of brute-forcing (CVE-2026-24445).

let EV_Energy_Backend_IPs = dynamic(["192.168.1.10", "10.0.0.5"]); // Replace with your actual backend IPs
let WebSocket_Port = 443; // OCPP typically runs over secure WebSockets on 443 or 80
DeviceNetworkEvents
| where RemoteIP in (EV_Energy_Backend_IPs)
| where RemotePort == WebSocket_Port
| where NetworkProtocol == "WebSocket" or AdditionalFields has "OCPP"
| summarize ConnectionCount = count(), DistinctLocalIPs = dcount(LocalIP) by Bin(Timestamp, 5m), InitiatingProcessAccountName, LocalIP
| where ConnectionCount > 50 // Threshold for rate limiting detection
| project Timestamp, InitiatingProcessAccountName, LocalIP, ConnectionCount, DistinctLocalIPs
| sort by ConnectionCount desc

Python Script: WebSocket Authentication Check

The script below acts as a vulnerability scanner to check if your EV Energy endpoints require authentication (CVE-2026-27772). It attempts a WebSocket connection without headers to see if the connection is accepted.

import asyncio
import websockets
import sys

async def check_ocpp_auth(uri):
    """
    Checks if the WebSocket endpoint allows unauthenticated connections.
    """
    try:
        print(f"[*] Attempting connection to {uri} without authentication...")
        # Attempting connection without Authorization headers
        async with websockets.connect(uri, close_timeout=5) as websocket:
            print("[!] Connection Succeeded: Endpoint is missing authentication (VULNERABLE)")
            # Try to send a generic OCPP JSON payload to test active channel
            # [2, "message-id", "BootNotification", {"chargePointVendor": "TestVendor"}]
            payload = '[2, "test-id", "BootNotification", {"chargePointVendor": "SecurityArsenal"}]'
            await websocket.send(payload)
            response = await websocket.recv()
            print(f"[+] Server Response: {response}")
    except websockets.exceptions.InvalidStatusCode as e:
        if e.status_code == 401 or e.status_code == 403:
            print(f"[+] Connection Rejected ({e.status_code}): Authentication likely required.")
        else:
            print(f"[?] Unexpected Status Code: {e.status_code}")
    except Exception as e:
        print(f"[-] Connection Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python check_ocpp.py wss://target-ev-backend.com/ocpp")
        sys.exit(1)
    
    target_uri = sys.argv[1]
    asyncio.get_event_loop().run_until_complete(check_ocpp_auth(target_uri))

Mitigation Strategies

Given that EV Energy did not respond to CISA's coordination request, applying a vendor patch may be difficult at this moment. Immediate defensive measures are critical.

1. Network Segmentation (Immediate Priority): Ensure that charging station networks are strictly isolated from the broader corporate network. The charging infrastructure should reside in a dedicated VLAN with firewall rules that only allow necessary traffic to the management backend.

2. Restrict Internet Exposure: CISA explicitly advises minimizing network exposure. Ensure that OCPP WebSocket ports (typically 443 or 80) are not directly accessible from the open internet. If remote access is required for management, enforce a strict VPN policy with Multi-Factor Authentication (MFA).

3. Ingress Filtering: Configure firewalls to whitelist only known Charging Station IP addresses that are allowed to initiate WebSocket connections to the backend. This directly mitigates CVE-2026-27772 and CVE-2026-24445 by preventing external actors from reaching the endpoint.

4. OpSec Review: Audit your public-facing data. Ensure that sensitive identifiers or internal dashboard links are not exposed on public mapping platforms or social media (mitigating CVE-2026-25774).

Conclusion

The convergence of Operational Technology (OT) and Information Technology (IT) in the EV sector expands the attack surface for malicious actors. These vulnerabilities in EV Energy highlight a lack of security-by-design in some charging management platforms. Until a vendor patch is available and verified, robust network hygiene and aggressive segmentation are your strongest defenses.

Organizations observing suspected malicious activity against their EV infrastructure should report findings to CISA and engage with Managed Security Service providers to monitor for anomalous behaviors.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub