The Achilles Heel of the EV Revolution: Analyzing Critical SWITCH EV Vulnerabilities

As the world accelerates toward electrification, the security of Electric Vehicle (EV) supply equipment (EVSE) has transitioned from a niche concern to a critical infrastructure imperative. The Cybersecurity and Infrastructure Security Agency (CISA) recently released a sobering advisory detailing severe vulnerabilities in SWITCH EV (swtchenergy.com). These flaws aren't just software bugs; they are open doors for attackers to impersonate charging stations, hijack user sessions, and potentially launch large-scale Denial of Service (DoS) attacks against energy grids.

At Security Arsenal, we view these vulnerabilities—specifically the lack of authentication on critical WebSocket endpoints—as a textbook example of how IIoT (Industrial Internet of Things) devices often lag behind traditional IT in security maturity.

The Vulnerability Landscape: A Deep Dive

CISA has assigned a CVSS v3.1 base score of 9.4 (CRITICAL) to the most severe issue. The advisory identifies four distinct CVEs affecting all versions of the SWITCH EV platform. While the vendor has not yet responded to CISA’s coordination requests, the technical details provide a clear roadmap for defenders.

1. The "Ghost Charger" (CVE-2026-27767)

CVSS Score: 9.4 (Critical) CWE: Missing Authentication for Critical Function

The most alarming flaw lies in the WebSocket endpoints used for the Open Charge Point Protocol (OCPP). This interface lacks proper authentication mechanisms. In plain English: the backend system does not verify that the device connecting to it is actually a legitimate charging station.

An attacker can simply discover a charging station identifier (which is often visible on the hardware or easily enumerated) and connect to the backend WebSocket server. Once connected, the attacker can issue OCPP commands as if they were the physical charger. This allows for:

• Privilege Escalation: Gaining unauthorized control of charging infrastructure.
• Data Corruption: Sending false telemetry or status updates to the backend.
• Operational Disruption: Manipulating the state of the charging network.

2. The Resource Exhaustion Vector (CVE-2026-25113)

CVSS Score: 7.5 (High) CWE: Improper Restriction of Excessive Authentication Attempts

The WebSocket API fails to implement rate limiting. This opens the door to two distinct attack vectors:

1. Brute Force Attacks: While authentication is missing (CVE-2026-27767), if any minimal identifier checks exist, an attacker could automate attempts to guess valid IDs.
2. Denial of Service: An attacker can flood the backend with high-volume connection requests, suppressing or misrouting legitimate traffic from actual chargers.

3. Session Hijacking and "Shadowing" (CVE-2026-25778)

CVSS Score: 7.3 (High) CWE: Insufficient Session Expiration

This vulnerability exploits a logic flaw in session management. The backend uses predictable charging station identifiers to associate sessions and allows multiple endpoints to bind to the same identifier simultaneously.

This leads to a "session shadowing" scenario where a malicious actor connects to the backend using a valid station's ID. Because the system allows multiple connections for the same ID, the attacker's connection can displace or intercept the commands intended for the legitimate charger. This essentially lets an attacker cut off the real charger and hijack the control session.

4. Exposed Credentials (CVE-2026-27773)

CVSS Score: 6.5 (Medium) CWE: Insufficiently Protected Credentials

Reconnaissance is often the first phase of an attack. This CVE highlights that charging station authentication identifiers are publicly accessible via web-based mapping platforms. This significantly lowers the barrier to entry for attackers looking to exploit the other three vulnerabilities by providing the target identifiers on a silver platter.

Detection and Threat Hunting

Given the lack of vendor response, perimeter detection becomes your primary defense. Security teams should monitor for anomalous WebSocket traffic and connection patterns indicative of session hijacking or brute-forcing.

KQL Query (Microsoft Sentinel/Defender)

This query hunts for excessive WebSocket connection attempts to known SWITCH EV endpoints or unexpected connection patterns from external IPs.

DeviceNetworkEvents
| where RemotePort in (80, 443, 8000, 9000) // Common WebSocket ports
| where Protocol == "tcp" or RemoteUrl contains "swtchenergy.com"
| where ActionType == "ConnectionAllowed"
| extend IsWebSocket = iff(AdditionalFields has "websocket" or RequestFields has "upgrade: websocket", true, false)
| where IsWebSocket == true
| summarize ConnectionCount = count(), DistinctSourceIPs = dcount(SourceIP) by DestinationIP, DestinationUrl, bin(Timestamp, 5m)
| where ConnectionCount > 50 // Threshold tuning required based on fleet size
| project Timestamp, DestinationIP, DestinationUrl, ConnectionCount, DistinctSourceIPs
| order by ConnectionCount desc

Python Validation Script

This script can be used by security teams to audit external-facing SWITCH EV endpoints for the presence of unauthenticated WebSocket exposure.

import asyncio
import websockets
import sys

async def check_ocpp_vulnerability(target_host, target_port):
    uri = f"ws://{target_host}:{target_port}/ocpp" # Adjust path based on vendor config
    print(f"[*] Testing {target_host} on port {target_port}...")
    
    try:
        # Attempt connection without authentication headers
        print("[*] Attempting unauthenticated WebSocket connection...")
        async with websockets.connect(uri, close_timeout=5) as websocket:
            print("[!] Connection Succeeded: Endpoint lacks authentication (VULNERABLE)")
            
            # Send a basic OCPP BootNotification to verify control
            boot_payload = '[2,"1234","BootNotification",{"chargePointModel":"HackerOne","chargePointVendor":"Test"}]'
            await websocket.send(boot_payload)
            response = await websocket.recv()
            print(f"[+] Server Response: {response}")
            
    except websockets.exceptions.InvalidStatusCode as e:
        if e.status_code == 401 or e.status_code == 403:
            print("[-] Connection Rejected (401/403): Authentication may be present.")
        else:
            print(f"[-] Connection Failed with Status: {e.status_code}")
    except ConnectionRefusedError:
        print("[-] Connection Refused: Port may be closed or filtered.")
    except Exception as e:
        print(f"[-] Unexpected Error: {str(e)}")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python3 check_swtch.py <host> <port>")
        sys.exit(1)
    asyncio.run(check_ocpp_vulnerability(sys.argv[1], int(sys.argv[2])))

Mitigation Strategies

With no official patch available from the vendor at the time of this advisory, defensive measures must focus on network isolation and minimizing the attack surface.

1. Network Segmentation: CISA emphasizes placing control system networks behind firewalls and isolating them from business networks. EV chargers should never sit directly on the public internet with unrestricted access to their WebSocket ports.

2. Strict Firewall Rules: Implement ingress/egress filtering. Only allow specific, necessary IP addresses (e.g., the vendor's backend server) to initiate connections to the chargers. Block all unsolicited inbound traffic from the wider internet.

3. VPN Enforcement: If remote access is required for management, enforce VPN usage with Multi-Factor Authentication (MFA). Ensure the VPN solution is patched against known vulnerabilities.

4. Monitor for Session Anomalies: Deploy detection rules to flag when multiple concurrent sessions are established for the same Charging Station Identifier (CSI), as this indicates session hijacking/shadowing activity (CVE-2026-25778).

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub