Critical Security Flaws Expose Electric Vehicle Charging Infrastructure to Remote Takeover
The rapid expansion of electric vehicle (EV) charging networks has transformed how we think about transportation and energy infrastructure. But as these systems become more interconnected, they've also become attractive targets for malicious actors. Recently disclosed vulnerabilities in Everon's OCPP (Open Charge Point Protocol) Backend infrastructure have exposed critical weaknesses that could allow attackers to gain unauthorized administrative control over charging stations or completely disrupt charging services.
These vulnerabilities serve as a stark reminder: as critical infrastructure sectors increasingly rely on IoT and connected systems, the attack surface expands dramatically. The energy and transportation sectors, once considered air-gapped and isolated, now face the same cybersecurity challenges as traditional IT environments—often with higher stakes.
Vulnerability Analysis: A Perfect Storm of Authentication Failures
The Everon OCPP Backend vulnerabilities represent a convergence of fundamental security weaknesses. Rather than isolated issues, they form an interconnected chain of failures that could enable devastating attacks on charging infrastructure worldwide.
CVE-2026-26288: Unauthenticated WebSocket Takeover (CVSS 9.4 CRITICAL)
The most severe vulnerability stems from a fundamental failure: WebSocket endpoints completely lack authentication mechanisms. The OCPP protocol relies on WebSocket connections for real-time communication between charging stations and backends. In Everon's implementation, an attacker could:
- Discover charging station identifiers through enumeration or publicly available sources
- Establish a WebSocket connection using the station's identifier
- Issue or receive OCPP commands as if they were the legitimate charging hardware
This enables privilege escalation without any credentials. Once connected, an attacker can modify charging parameters, initiate or terminate charging sessions, manipulate transaction records, and potentially damage connected electrical infrastructure through improper control signals.
CVE-2026-24696: Authentication Flood (CVSS 7.5 HIGH)
The WebSocket API lacks any rate limiting on authentication requests. This creates two distinct attack vectors:
- Denial-of-Service: Attackers can flood the backend with connection attempts, overwhelming legitimate chargers' ability to report telemetry or receive commands
- Brute Force Amplification: When combined with other authentication mechanisms, the absence of rate limiting enables rapid credential attacks
For infrastructure operators relying on real-time telemetry for grid management, such DoS conditions could create cascading effects beyond individual charging stations.
CVE-2026-20748: Session Hijacking and Shadowing (CVSS 7.3 HIGH)
This vulnerability exploits a critical design flaw: the backend uses charging station identifiers as the sole session token but allows multiple concurrent connections using the same identifier. This creates a race condition where:
- An attacker establishes a connection using a known station identifier
- The legitimate charging station attempts to connect
- The attacker's session is either displaced or shadows the legitimate connection
- Commands intended for the legitimate station go to the attacker instead
Predictable session identifiers compound this issue, enabling attackers to enumerate valid identifiers and establish connections before legitimate devices.
CVE-2026-27027: Public Credential Exposure (CVSS 6.5 MEDIUM)
Perhaps the most concerning aspect of these vulnerabilities is that the foundation for exploiting them was publicly available. Charging station identifiers were accessible through web-based mapping platforms, providing attackers with a ready-made target list without any reconnaissance effort.
Detection and Threat Hunting
While Everon has shut down their platform as of December 1st, 2025, these vulnerabilities highlight broader risks in the EV charging ecosystem. Security teams should implement monitoring for similar patterns in their OCPP implementations and WebSocket services.
KQL Queries for Sentinel/Defender
Monitor for unusual WebSocket connection patterns and authentication anomalies:
// Detect multiple WebSocket connections from same source IP
let TimeWindow = 1h;
let ConnectionThreshold = 50;
DeviceNetworkEvents
| where ActionType == "WebSocketConnectionAccepted"
| summarize count() by SrcIpAddr, bin(Timestamp, TimeWindow)
| where count_ > ConnectionThreshold
| project suspicious_ip=SrcIpAddr, connection_count=count_
// Detect OCPP connection attempts without proper authentication flow
let OCPPPorts = dynamic([8000, 443, 80]);
DeviceNetworkEvents
| where RemotePort in OCPPPorts
| where ActionType has "WebSocket"
| where isnull(AdditionalFields)
| summarize by SrcIpAddr, DeviceName, Timestamp
| sort by Timestamp desc
// Detect session identifier enumeration patterns
let TimeWindow = 10m;
let EnumThreshold = 100;
DeviceNetworkEvents
| where RemotePort == 443 and ActionType has "WebSocket"
| where NetworkProtocol == "WebSocket"
| project Timestamp, SrcIpAddr, DstIpAddress, RequestFields
| parse RequestFields with * "stationId":"" StationId ""*
| where isnotempty(StationId)
| summarize distinct_station_count = dcount(StationId) by SrcIpAddr, bin(Timestamp, TimeWindow)
| where distinct_station_count > EnumThreshold
Python Script for OCPP Security Assessment
#!/usr/bin/env python3
"""
OCPP Security Assessment Tool
Tests for common vulnerabilities in OCPP WebSocket implementations
"""
import asyncio
import websockets
import
import argparse
from datetime import datetime
class OCPPScanner:
def __init__(self, target_uri, station_ids=None):
self.target_uri = target_uri
self.station_ids = station_ids or []
self.vulnerabilities = []
async def test_missing_auth(self, station_id):
"""Test CVE-2026-26288: Missing Authentication for Critical Function"""
try:
uri = f"{self.target_uri}/{station_id}"
async with websockets.connect(uri) as websocket:
# Try to send OCPP command without authentication
message = [
2, # MessageTypeId: CALL
"test123", # UniqueId
"BootNotification", # Action
{
"chargePointVendor": "Test",
"chargePointModel": "VulnerabilityScan"
}
]
await websocket.send(.dumps(message))
response = await asyncio.wait_for(websocket.recv(), timeout=5)
if response:
self.vulnerabilities.append({
"cve": "CVE-2026-26288",
"severity": "CRITICAL",
"finding": "Unauthenticated WebSocket connection accepted",
"station_id": station_id
})
return True
except Exception as e:
pass
return False
async def test_rate_limiting(self, station_id):
"""Test CVE-2026-24696: Missing Rate Limiting on Authentication"""
connection_count = 0
start_time = datetime.now()
for i in range(20): # Attempt 20 rapid connections
try:
uri = f"{self.target_uri}/{station_id}"
async with websockets.connect(uri) as websocket:
connection_count += 1
await asyncio.sleep(0.1)
except:
pass
elapsed = (datetime.now() - start_time).total_seconds()
if connection_count > 10 and elapsed < 5:
self.vulnerabilities.append({
"cve": "CVE-2026-24696",
"severity": "HIGH",
"finding": f"No rate limiting detected: {connection_count} connections in {elapsed:.2f}s",
"station_id": station_id
})
return True
return False
async def scan(self):
tasks = []
for station_id in self.station_ids:
tasks.append(self.test_missing_auth(station_id))
tasks.append(self.test_rate_limiting(station_id))
if not self.station_ids:
# Test with common patterns if no IDs provided
test_ids = ["EV-001", "CS-001", "charger-1", "station1"]
for station_id in test_ids:
tasks.append(self.test_missing_auth(station_id))
await asyncio.gather(*tasks, return_exceptions=True)
return self.vulnerabilities
async def main():
parser = argparse.ArgumentParser(description='OCPP Security Scanner')
parser.add_argument('target', help='Target WebSocket URI (e.g., ws://api.example.com)')
parser.add_argument('--station-ids', nargs='+', help='List of station IDs to test')
parser.add_argument('--output', help='Output JSON file')
args = parser.parse_args()
scanner = OCPPScanner(args.target, args.station_ids)
print(f"[*] Starting OCPP security scan against {args.target}")
vulnerabilities = await scanner.scan()
print(f"[*] Scan complete. Found {len(vulnerabilities)} potential vulnerabilities")
for vuln in vulnerabilities:
print(f"\n[!] {vuln['cve']} ({vuln['severity']})")
print(f" {vuln['finding']}")
if 'station_id' in vuln:
print(f" Affected Station ID: {vuln['station_id']}")
if args.output:
with open(args.output, 'w') as f:
.dump(vulnerabilities, f, indent=2)
print(f"[*] Results saved to {args.output}")
if __name__ == "__main__":
asyncio.run(main())
Bash Commands for Infrastructure Monitoring
# Monitor for WebSocket connection spikes to charging infrastructure
#!/bin/bash
THRESHOLD=100
LOG_FILE="/var/log/syslog"
PATTERN="WebSocket.*OCPP"
echo "Monitoring for WebSocket connection anomalies..."
# Count connections in last 5 minutes
connection_count=$(journalctl --since "5 minutes ago" | grep -c "$PATTERN")
if [ "$connection_count" -gt "$THRESHOLD" ]; then
echo "[ALERT] High WebSocket connection volume detected: $connection_count in 5 minutes"
# Extract top source IPs
journalctl --since "5 minutes ago" | grep "$PATTERN" | \
awk '{print $5}' | sort | uniq -c | sort -rn | head -10
fi
# Network-level detection of OCPP traffic patterns
#!/bin/bash
INTERFACE="eth0"
OCPP_PORTS="8000,443,8080"
# Capture and analyze OCPP traffic
sudo tcpdump -i $INTERFACE -nn port $OCPP_PORTS -c 100 -A 2>/dev/null | \
grep -E "BootNotification|StartTransaction|StopTransaction" | \
awk '{print $1, $2, $3, $NF}' > /tmp/ocpp_analysis.log
# Check for suspicious patterns
if grep -q "BootNotification.*guest\|BootNotification.*admin" /tmp/ocpp_analysis.log; then
echo "[WARNING] Potential weak credentials detected in OCPP traffic"
fi
Mitigation and Strategic Recommendations
The Everon situation has a definitive resolution—platform shutdown—but the underlying vulnerabilities represent systemic issues that affect many OCPP implementations. Organizations operating or deploying EV charging infrastructure should implement the following defensive measures:
Immediate Actions
-
Network Segmentation: Isolate charging station management networks from corporate IT and public internet access. Use firewalls to strictly control WebSocket traffic, allowing only necessary OCPP ports (typically 443 for secure WebSocket, 8000 for standard WebSocket) to specific backend servers.
-
VPN Implementation: When remote access to charging stations is required, use dedicated VPN solutions with multi-factor authentication. Never expose OCPP endpoints directly to the internet.
-
Credential Management: Immediately audit all charging station identifiers and authentication tokens. Replace predictable identifiers (e.g., "EV-001", "charger-1") with cryptographically generated UUIDs.
Long-Term Architecture Improvements
- Strong WebSocket Authentication: Implement TLS mutual authentication for all OCPP connections. Use X.509 certificates issued from a private certificate authority to validate both charging stations and backends.
# Example secure WebSocket configuration
wss_config:
require_client_cert: true
client_ca_file: /etc/ssl/certs/charging-stations-ca.pem
cert_file: /etc/ssl/certs/backend-cert.pem
key_file: /etc/ssl/private/backend-key.pem
verify_client: "require"
cipher_suites:
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
5. **Rate Limiting and Session Management**: Implement application-level rate limiting on all authentication endpoints. Use Redis or similar in-memory stores to track connection attempts per IP and per station identifier.
# Example rate limiting middleware for Python/FastAPI
from fastapi import FastAPI, Request, HTTPException
from slowapi import Limiter
from slowapi.util import get_remote_address
from slowapi.errors import RateLimitExceeded
limiter = Limiter(key_func=get_remote_address)
app = FastAPI()
# OCPP connections: 10 per minute per IP
@app.post("/ocpp/{station_id}")
@limiter.limit("10/minute")
async def ocpp_connection(station_id: str, request: Request):
# Additional validation for station ID format
if not validate_station_id(station_id):
raise HTTPException(status_code=400, detail="Invalid station identifier")
# Check for active session conflicts
if await has_active_session(station_id):
raise HTTPException(status_code=409, detail="Station already connected")
return await establish_ocpp_session(station_id)
6. **Telemetry Monitoring**: Deploy continuous monitoring solutions that can detect anomalous charging patterns, unusual command sequences, and geographic impossibilities (e.g., a charger in Texas reporting to a backend in Europe).
Vendor and Supply Chain Security
-
Pre-Deployment Security Assessments: Conduct penetration testing and code reviews on all OCPP implementations before production deployment. Pay particular attention to:
- WebSocket authentication mechanisms
- Session management implementation
- Error handling that might leak information
- Input validation on all OCPP JSON messages
-
Supply Chain Vetting: Evaluate charging station vendors based on their security practices. Require:
- Signed firmware updates with verification mechanisms
- Secure boot capabilities
- Incident response capabilities
- Regular security patch commitments
The Broader Context: Infrastructure Security in 2026
These vulnerabilities underscore a critical shift in the cybersecurity landscape. The convergence of energy, transportation, and information technology creates new attack vectors that traditional security models weren't designed to address. The OCPP protocol itself—a standard developed in the early 2010s—was not built with today's sophisticated threat environment in mind.
For security teams managing critical infrastructure, the lessons from Everon are clear:
- Assume exposure: Design systems under the assumption that identifiers and endpoints will be discovered
- Defense in depth: Rely on multiple layers of security rather than single points of failure
- Continuous validation: Regular testing and verification of security controls is non-negotiable
The shutdown of Everon's platform provides a definitive resolution to these specific vulnerabilities, but it shouldn't be viewed as the end of the story. The OCPP ecosystem contains many implementations, and security teams must proactively assess their exposure to similar issues.
As we continue to electrify our transportation networks, the security of charging infrastructure becomes paramount. These vulnerabilities demonstrate that even critical systems can suffer from fundamental security flaws discovered years after deployment. A proactive security posture—combined with continuous monitoring and rapid response capabilities—remains our best defense against exploitation.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.