Defending EV Infrastructure: Responding to Critical ePower epower.ie Vulnerabilities (CVSS 9.4)

As the adoption of electric vehicles (EVs) accelerates, the security of the charging infrastructure has become a paramount concern for defenders. A recent advisory from CISA highlights critical vulnerabilities in ePower epower.ie, a charging station management system. These flaws present a significant risk to the Energy and Transportation sectors, potentially allowing attackers to hijack administrative controls or disrupt charging services via Denial-of-Service (DoS) attacks.

For security teams managing Operational Technology (OT) or critical infrastructure, understanding these vulnerabilities is not just about patching software—it is about maintaining the availability and safety of essential public services.

Technical Analysis

CISA has released an advisory (ICSA-26-062-07) identifying multiple security weaknesses in the ePower epower.ie platform. The product is utilized worldwide to manage and monitor EV charging stations.

Affected Products:

• Vendor: ePower
• Product: ePower epower.ie
• Affected Versions: All versions (vers:all/*)

Severity:

• CVSS v3 Score: 9.4 (Critical)

Key Vulnerabilities:

1. CVE-2026-22552 (Missing Authentication for Critical Function): The primary concern involves WebSocket endpoints that lack proper authentication. This allows unauthenticated attackers to interact with critical functions of the charging station management interface.
2. Improper Restriction of Excessive Authentication Attempts: The system does not effectively limit failed login attempts, facilitating brute-force attacks against administrative accounts.
3. Insufficient Session Expiration & Insufficiently Protected Credentials: Session management flaws could allow attackers to maintain access longer than intended or capture credentials due to inadequate protection mechanisms.

Impact: Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks. Given the critical infrastructure status of energy and transportation systems, this poses a severe risk.

Defensive Monitoring

To determine if your environment is vulnerable or if an attack is underway, security teams should monitor for suspicious WebSocket traffic and unauthorized access attempts to the ePower management interfaces.

Microsoft Sentinel / Defender KQL

Use the following KQL query to detect unauthenticated or suspicious WebSocket connection attempts to known ePower management endpoints. This query looks for Connection: Upgrade headers typical of WebSocket communication.

let ePowerEndpoints = dynamic(["epower.ie", "your-charger-domain.com"]);
DeviceNetworkEvents
| where RemoteUrl has_any (ePowerEndpoints) or DestinationPort in (80, 443, 8080)
| where InitiatingProcess has_any ("powershell", "cmd", "python", "curl") or RequestUrl contains "socket"
| where Fields has "Connection: Upgrade"
| project Timestamp, DeviceName, InitiatingProcessAccount, RemoteUrl, RequestUrl, DestinationPort, BytesIn, BytesOut
| order by Timestamp desc

Network Verification (PowerShell)

Defenders can use this PowerShell script to test if specific charging station management interfaces are exposing WebSocket endpoints without requiring authentication on the internal network.

<#
.SYNOPSIS
    Checks for exposed WebSocket endpoints on ePower management interfaces.
.DESCRIPTION
    This script attempts a basic TCP connection and HTTP request to see if the port is open and responding.
    Note: Adjust the $targetUrl and $port to match your specific environment configuration.
#>

param(
    [string]$targetHostname = "epower-management.example.com",
    [int]$port = 443
)

try {
    $tcpConnection = New-Object System.Net.Sockets.TcpClient
    $tcpConnection.Connect($targetHostname, $port)
    Write-Host "[+] Connection established to $targetHostname on port $port." -ForegroundColor Green
    
    $tcpConnection.Close()
    
    # Further inspection of the HTTP headers would require a full HTTP client request.
    # This confirms network reachability which is the first step for an attacker.
} catch {
    Write-Host "[-] Failed to connect to $targetHostname on port $port." -ForegroundColor Red
    Write-Host "Host may be down, or firewall rules may be blocking access."
}

Remediation

Organizations utilizing ePower epower.ie products must take immediate action to mitigate the risk of unauthorized access and service disruption.

1. Apply Vendor Updates: Contact ePower immediately to obtain the latest security patches. Since the advisory affects "all versions," confirming the specific patched version relevant to your deployment is critical.

2. Network Segmentation: Ensure that charging station management interfaces are not directly accessible from the public internet. Place these devices in isolated VLANs, strictly separating the OT (Operational Technology) network from the IT network. Use firewalls to restrict traffic to known, trusted management IP addresses only.

3. Disable Unused WebSocket Endpoints: If the vendor guidance permits, temporarily disable WebSocket functionality on the management interface until patches can be applied, provided this does not disrupt critical charging operations.

4. Implement Strong Authentication: Enforce MFA (Multi-Factor Authentication) for all administrative access to the charging management system. Ensure that account lockout policies are enabled to mitigate brute-force attacks related to the "Improper Restriction of Excessive Authentication Attempts" vulnerability.

5. Monitor for Anomalies: Increase monitoring on logging endpoints for failed login attempts and unexpected WebSocket upgrade requests on the management infrastructure.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub