Critical Flaws in Mobiliti EV Chargers Expose Grid to Remote Hijacking

As the global push for electric vehicle (EV) infrastructure accelerates, the security of the charging ecosystem has become a paramount concern for critical infrastructure sectors. Recently, CISA released an advisory detailing a set of severe vulnerabilities affecting Mobiliti's e-mobi.hu charging station software. These flaws aren't just software bugs; they represent a tangible risk to the energy and transportation sectors, potentially allowing malicious actors to seize administrative control of charging hardware, disrupt services, and corrupt grid data.

What makes this situation particularly alarming is the vendor's lack of response to CISA's coordination efforts. With no official patch immediately available, organizations relying on these devices must rely on defensive network posture and vigilant monitoring to mitigate risk.

The Vulnerability Landscape

The advisory identifies four distinct CVEs (CVE-2026-26051, CVE-2026-20882, CVE-2026-27764, CVE-2026-27777) that, when combined, create a perfect storm for attackers. The core issue lies in the implementation of the Open Charge Point Protocol (OCPP) over WebSockets.

1. Unauthenticated WebSocket Access (CVE-2026-26051)

CVSS Score: 9.4 (CRITICAL)

This is the most severe of the bunch. The WebSocket endpoints used for communication between the charging station and the central backend lack proper authentication mechanisms. An attacker on the network—likely having scanned for open ports—can simply connect to the OCPP endpoint using a discovered or guessed charging station identifier (ChargeBoxIdentity). Once connected, they can issue commands as if they were the physical charger itself. This leads to privilege escalation and unauthorized control of the infrastructure.

2. No Rate Limiting (CVE-2026-20882)

CVSS Score: 7.5 (HIGH)

The API does not restrict the number of authentication requests. This allows attackers to perform brute-force attacks to guess identifiers or conduct Denial-of-Service (DoS) attacks by flooding the backend with connection attempts, effectively suppressing legitimate telemetry data.

3. Session Hijacking and Shadowing (CVE-2026-27764)

CVSS Score: 7.3 (HIGH)

The session management logic allows multiple endpoints to connect using the same session identifier. This "shadowing" effect means a malicious actor can connect, kick the legitimate charger off the session, and intercept backend commands intended for the physical hardware. This enables man-in-the-middle attacks and further unauthorized control.

4. Exposed Credentials (CVE-2026-27777)

CVSS Score: 6.5 (MEDIUM)

To make matters worse, the unique identifiers required to exploit the other vulnerabilities are often publicly accessible via web-based mapping platforms that track charger locations. This significantly lowers the barrier to entry for an attacker, providing them with the keys to the kingdom without requiring physical access to the device.

Detection and Threat Hunting

Since a patch is not currently available, detection becomes your primary defense. Security teams should focus on monitoring network traffic for anomalies related to OCPP WebSocket connections and authentication attempts.

Hunting for Session Hijacking (KQL)

Use this KQL query in Microsoft Sentinel to detect multiple distinct IP addresses connecting to the same charging station backend or using the same station identifier (if your logging payload includes it).

DeviceNetworkEvents
| where RemotePort in (80, 443, 8080, 9000) // Common OCPP WebSocket ports, adjust based on your environment
| where InitiatingProcessFileName has_any ("python", "curl", "nc", "socket") or InitiatingProcessCommandLine contains "Upgrade: websocket"
| extend SourceIP = SrcIpAddr, DestIP = DestIpAddr
| summarize ConnectionCount = dcount(SourceIP), DistinctIPs = make_set(SourceIP) by DestIP, bin(TimeGenerated, 5m)
| where ConnectionCount > 2 // Alert if multiple IPs hit the same backend node in 5 mins
| project TimeGenerated, DestIP, DistinctIPs, ConnectionCount
| order by TimeGenerated desc

Identifying Brute Force Attempts (KQL)

Detect potential brute force attacks leveraging the lack of rate limiting (CVE-2026-20882).

SigninLogs 
// If OCPP auth is logged via AppRegistration or similar gateway
| where AppDisplayName contains "Mobiliti" or AppDisplayName contains "Charger"
| summarize FailedAttempts = countif(Result == "Failure") by IPAddress, bin(TimeGenerated, 1m)
| where FailedAttempts > 10 // Threshold for alerting
| project TimeGenerated, IPAddress, FailedAttempts

Script to Check for Exposed Identifiers (Python)

While we cannot fix the exposure, we can audit our own asset lists to see if identifiers are leaking in internal logs or public references. Below is a simple script to scan logs for exposed ChargeBoxIdentity patterns.

import re

def scan_for_ocpp_ids(log_file_path):
    # Regex pattern for OCPP ChargeBoxIdentity (UUID or specific hex patterns)
    # Adjust pattern based on Mobiliti's specific ID format
    pattern = re.compile(r'ChargeBoxId\["([^"]+)"\]')

    try:
        with open(log_file_path, 'r', encoding='utf-8') as file:
            for line_number, line in enumerate(file, 1):
                match = pattern.search(line)
                if match:
                    print(f"Potential ID found at line {line_number}: {match.group(1)}")
    except FileNotFoundError:
        print("File not found.")

# Usage: scan_for_ocpp_ids('path_to_your_access.log')

Mitigation Strategies

Given the vendor's silence, defensive measures must be network-centric. CISA recommends the following steps, which we endorse and expand upon:

1. Network Segmentation: Immediately move all control system networks and devices behind firewalls. Ensure these devices are not accessible from the public Internet. The charging stations should communicate only with a specific, hardened backend server segment.

2. Minimize Exposure: Conduct a thorough audit to ensure management ports (typically TCP 80, 443, or custom OCPP ports) are not exposed to the wider internet or untrusted VLANs.

3. Implement VPNs for Remote Access: If remote access is absolutely required for maintenance, it must be routed through a secure Virtual Private Network (VPN). Remember, however, that a VPN is only as secure as the devices connecting to it; ensure the VPN client software is fully patched.

4. Ingress Filtering: Configure firewalls to allow inbound connections to the charging station backend only from known IP ranges of the charging stations themselves (whitelisting).

5. Contact the Vendor: Despite the lack of response, pressure from customers often motivates action. Contact Mobiliti directly to request an update and a timeline for a patch.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub