Critical Mobility46 Flaws Enable Complete EV Charger Hijacking

As the global push for electric vehicle (EV) infrastructure accelerates, the security of the charging ecosystem has become a paramount concern for critical infrastructure sectors. Recent advisories from CISA have uncovered a set of severe vulnerabilities in Mobility46 charging station software that could allow attackers to completely hijack charging sessions, disrupt power delivery, and corrupt backend data.

The implications of these flaws extend beyond mere inconvenience; they touch the Energy and Transportation Systems sectors, potentially enabling bad actors to manipulate the physical grid or deny service to entire fleets. What makes this situation particularly precarious is that the vendor, Mobility46, reportedly did not respond to CISA's coordination requests, leaving the mitigation burden heavily on the infrastructure owners and operators.

Vulnerability Analysis

The vulnerabilities affect all versions of the Mobility46 mobility46.se platform. The core issue lies in the implementation of the Open Charge Point Protocol (OCPP) over WebSockets. OCPP is the backbone communication standard for EV chargers, and when secured improperly, it becomes a wide-open door for attackers.

CVE-2026-27028: Missing Authentication for Critical Function (CVSS 9.4 CRITICAL)

This is the most severe flaw in the cluster. The WebSocket endpoints used for OCPP communication lack proper authentication mechanisms. In a properly secured environment, a charging station must authenticate itself to the backend (and vice versa) before exchanging commands.

However, Mobility46's implementation allows an unauthenticated attacker to connect to the OCPP WebSocket endpoint if they possess or guess a charging station identifier. Since no authentication is required, the attacker can impersonate a legitimate charger. This enables:

• Privilege Escalation: Sending false status updates to the backend.
• Data Corruption: Manipulating charging session logs and transaction data.
• Infrastructure Takeover: Issuing unauthorized commands to the backend system.

CVE-2026-26305: Improper Restriction of Authentication Attempts (CVSS 7.5 HIGH)

The WebSocket API lacks rate limiting. This opens the door to two primary attack vectors:

1. Denial-of-Service (DoS): An attacker can flood the endpoint with connection requests, suppressing legitimate telemetry from real chargers or mis-routing data.
2. Brute Force: In scenarios where identifiers might be obfuscated, the lack of rate limiting allows for high-speed automated guessing attacks to discover valid station IDs.

CVE-2026-27647: Insufficient Session Expiration (CVSS 7.3 HIGH)

This vulnerability involves poor session management. The backend uses charging station identifiers to associate sessions but allows multiple endpoints to connect using the same identifier simultaneously.

Because session identifiers are predictable, an attacker can engage in session hijacking or "shadowing." By connecting with a predicted ID, the attacker's connection can displace the legitimate charging station. Consequently, the attacker receives the commands intended for the physical charger (e.g., "start charging," "stop charging"), effectively locking out the legitimate device and allowing remote control of the hardware.

CVE-2026-22878: Insufficiently Protected Credentials (CVSS 6.5 MEDIUM)

Operational Security (OPSEC) failures are often as dangerous as software bugs. In this case, charging station authentication identifiers have been found publicly accessible via web-based mapping platforms. This significantly lowers the barrier to entry for attackers exploiting the vulnerabilities mentioned above, as they do not even need to scan or guess the IDs—they can simply harvest them from open-source intelligence (OSINT).

Detection and Threat Hunting

Given that the vendor has not provided an immediate patch, detection and network segmentation are your primary defenses. Security teams should hunt for suspicious WebSocket traffic and unauthorized connection attempts to OCPP endpoints.

Hunting for OCPP Anomalies (KQL)

Use the following KQL query in Microsoft Sentinel to detect WebSocket connections on non-standard ports or anomalies in OCPP-like traffic patterns indicating potential session hijacking or brute-forcing.

let OCPP_Ports = dynamic([80, 443, 8000, 8080, 9000]);
DeviceNetworkEvents
| where RemotePort in (OCPP_Ports)
| where ActionType == "ConnectionAccepted" or ActionType == "InboundConnectionAllowed"
// Filter for specific UserAgents or paths indicative of OCPP/WebSocket
| where InitiatingProcessFileName has "WebSocket" or AdditionalFields has "Upgrade: websocket"
// Look for multiple source IPs connecting to the same destination (Session Hijacking/Shadowing indicator)
| summarize ConnectionCount = count(), dcount(SourceIP) by DestinationIP, DestinationPort, bin(TimeGenerated, 5m)
| where dcount_SourceIP > 1
| project TimeGenerated, DestinationIP, DestinationPort, ConnectionCount, UniqueSourceIPs = dcount_SourceIP
| order by ConnectionCount desc
| extend AlertContext = pack("DestinationIP", DestinationIP, "DestinationPort", DestinationPort, "UniqueSourceIPs", UniqueSourceIPs)

Auditing for Exposed Identifiers (Python)

Defenders can use Python scripts to audit their own external-facing infrastructure or internal assets for predictable ID generation or leaked credentials. Note: This script is for auditing authorized assets only.

import requests
import re

def check_websocket_header(url):
    """
    Checks if a URL supports WebSocket upgrades and looks for OCPP specific paths.
    Use only on assets you own or have explicit permission to test.
    """
    try:
        # Sending a generic request to check headers
        response = requests.get(url, timeout=5)
        headers = response.headers
        
        # Check for WebSocket upgrade support
        if 'Upgrade' in headers or 'connection' in str(headers).lower():
            print(f"[+] Potential WebSocket support found at: {url}")
            
        # Check response body for OCPP JSON-RPC signatures (if applicable)
        if "OCPP" in response.text or "rpc" in response.text:
            print(f"[!] Possible OCPP/JSON-RPC exposure detected at: {url}")
            
    except requests.RequestException as e:
        pass

# Example usage list of internal endpoints to audit
targets = [
    "http://charger-01.internal.local",
    "http://mobility46-gw.example.com"
]

for target in targets:
    check_websocket_header(target)

Mitigation Strategies

Since a specific vendor patch is not currently available via CISA coordination, defensive measures must focus on network architecture and access control.

1. Network Segmentation (Crucial): Ensure that charging station control networks are isolated from the business network and the public internet. These devices should reside in a dedicated VLAN with strict firewall rules.

2. Firewall Rules: Block inbound internet traffic to the OCPP WebSocket ports (typically 80/443 or custom ports) from unauthorized IP ranges. Allow only necessary backend server IPs to communicate with the chargers.

3. VPNs for Remote Access: If remote management is required, enforce the use of secure VPNs. Do not expose OCPP endpoints directly to the public internet unless absolutely necessary, and if you do, ensure they are behind a dedicated Application Firewall (WAF) capable of inspecting WebSocket traffic.

4. OSINT Hygiene: Immediately review web-based mapping platforms to ensure sensitive charging station identifiers (Box IDs) are not publicly listed. If they are, work with the mapping provider to have them removed or change the identifiers if the software supports it.

5. Monitor for Session Anomalies: Implement monitoring to detect multiple concurrent connections from different source IPs attempting to use the same charging station ID—a key indicator of the CVE-2026-27647 session hijacking attack.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub