EV Charging Infrastructure Under Attack: Critical Mobility46 Flaws Demand Immediate Action

Introduction

The rapid electrification of transportation has created a vast network of connected EV charging infrastructure—but as Security Arsenal's latest analysis reveals, this critical infrastructure faces a significant cyber threat. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory detailing four vulnerabilities in Mobility46's charging station management platform that could allow attackers to seize administrative control, disrupt charging services, and compromise energy systems worldwide.

These aren't theoretical concerns. With CVSS scores ranging from 6.5 to a critical 9.4, these vulnerabilities expose fundamental weaknesses in how EV charging stations authenticate, manage sessions, and protect credentials. For organizations managing or deploying Mobility46 systems, immediate action is required to prevent potential disruption of energy and transportation services.

Vulnerability Deep Dive

The Mobility46 platform suffers from a cascade of authentication and session management failures that attackers can chain together for maximum impact. Let's break down each vulnerability and explore the real-world attack scenarios they enable.

CVE-2026-27028: Authentication-Free Access (CVSS 9.4 CRITICAL)

The most severe vulnerability exposes a critical design flaw: WebSocket endpoints lack any meaningful authentication mechanism. In plain terms, this means an attacker can connect to the Open Charge Point Protocol (OCPP) WebSocket endpoint using nothing more than a known charging station identifier—and then issue commands as if they were that physical charger.

The attack surface is particularly concerning because:

• Zero authentication required: No credentials, certificates, or tokens needed
• Station impersonation: Attackers can masquerade as legitimate hardware
• Backend manipulation: Ability to inject fraudulent telemetry data
• Privilege escalation: Unauthorized control over charging infrastructure

CVE-2026-26305: No Rate Limiting, No Limits (CVSS 7.5 HIGH)

Even if authentication were properly implemented, the platform fails to restrict the number of authentication attempts. This creates two primary attack vectors:

1. Denial-of-Service: Attackers can overwhelm the system with connection requests, suppressing legitimate charger telemetry and mis-routing critical data
2. Brute-Force Acceleration: Without rate limiting, password-guessing attacks proceed at maximum speed, dramatically reducing the time required to compromise credentials

CVE-2026-27647: Session Hijacking Made Easy (CVSS 7.3 HIGH)

This vulnerability reveals a fundamental misunderstanding of session management. The backend allows multiple endpoints to connect using the same charging station identifier—effectively enabling session "shadowing" where the newest connection displaces the legitimate one.

The implications are severe:

• Predictable session identifiers: No randomness or entropy in session generation
• Active displacement: Attackers can actively kick legitimate chargers offline
• Command interception: Backend commands intended for real hardware go to attackers instead
• Infrastructure confusion: The backend receives conflicting data from competing "clients"

CVE-2026-22878: Publicly Exposed Credentials (CVSS 6.5 MEDIUM)

Perhaps the most embarrassing vulnerability: charging station authentication identifiers are publicly accessible via web-based mapping platforms. This isn't a sophisticated exploit—it's simply using open mapping services to harvest credentials that should never have been exposed.

Attack Scenario Walkthrough

Let's explore how a sophisticated attacker might chain these vulnerabilities to compromise an entire charging network:

1. Reconnaissance: Use mapping platforms to harvest charging station IDs (CVE-2026-22878)
2. Initial Access: Connect to WebSocket endpoints using harvested station IDs, bypassing authentication entirely (CVE-2026-27028)
3. Session Hijacking: Establish shadow sessions to intercept backend commands (CVE-2026-27647)
4. Lateral Movement: Use compromised credentials to attack additional targets with brute-force tools (CVE-2026-26305)
5. Impact: Manipulate charging data, disrupt services, or create cascading failures in the energy grid

The result isn't just disabled charging stations—it's potential disruption of the broader energy infrastructure that these systems connect to.

Detection and Threat Hunting

Security teams should implement the following detection strategies to identify potential exploitation of these vulnerabilities:

KQL Queries for Sentinel/Defender

Monitor for suspicious WebSocket connections to Mobility46 infrastructure:

let Mobility46Endpoints = dynamic(["mobility46.se", "*.mobility46.se"]);
NetworkCommunicationEvents
| where RemoteUrl has_any (Mobility46Endpoints)
| where InitiatingProcessCommandLine contains "websocket" 
   or InitiatingProcessCommandLine contains "OCPP"
| summarize count() by SourceIP, RemoteUrl, Timestamp
| where count_ > 100 // Threshold for suspicious connection volume
| extend Severity = if(count_ > 1000, "Critical", "High")


Detect potential session hijacking attempts:

DeviceNetworkEvents
| where RemoteUrl contains "mobility46.se"
| where ActionType in ("ConnectionAllowed", "ConnectionEstablished")
| project Timestamp, DeviceName, SourceIP, RemoteIP, RemoteUrl, 
          InitiatingProcessAccountName, InitiatingProcessCommandLine
| sort by Timestamp desc
| partition hint.strategy=shuffle by RemoteIP (
  series_concatenate(Timestamp, SourceIP)
  | mv-expand TimeSeries
  | where series_greater_equals(series_diff(TimeSeries, 1), time(0.5s)) // Multiple rapid connections
)

Bash Script for Vulnerability Scanning

Organizations can use this script to scan their infrastructure for exposed Mobility46 endpoints:

#!/bin/bash

# Mobility46 Vulnerability Scanner
# Usage: ./scan_mobility46.sh <target_network>

TARGET_NETWORK=$1
LOG_FILE="mobility46_scan_$(date +%Y%m%d_%H%M%S).log"

echo "[+] Scanning network $TARGET_NETWORK for Mobility46 endpoints..." | tee -a "$LOG_FILE"

# Scan for WebSocket ports commonly used in EV charging
nmap -p 80,443,8000,9000,3017 --open -oG - "$TARGET_NETWORK" | grep "mobility46" >> "$LOG_FILE"

# Check for OCPP protocol exposure
for ip in $(nmap -p 80,443,8000,9000,3017 --open "$TARGET_NETWORK" -oG - | grep "/open" | awk '{print $2}'); do
    echo "[+] Checking $ip for OCPP WebSocket exposure..." >> "$LOG_FILE"
    timeout 5 curl -s -I "http://$ip/" | grep -i "mobility46" >> "$LOG_FILE"
    timeout 5 curl -s -I "https://$ip/" | grep -i "mobility46" >> "$LOG_FILE"
done

echo "[+] Scan complete. Results saved to $LOG_FILE"

PowerShell for Windows-Based Monitoring

Monitor for suspicious WebSocket connections on Windows systems:

# Monitor for Mobility46 WebSocket connections
$Mobility46Domains = @("*.mobility46.se", "mobility46.se")
$LogPath = "C:\Logs\Mobility46_Monitoring_$(Get-Date -Format 'yyyyMMdd').log"

function Log-WebSocketConnections {
    $Connections = Get-NetTCPConnection -State Established | 
        Where-Object { 
            $RemoteAddress = (Resolve-DnsName -Name $_.RemoteAddress -ErrorAction SilentlyContinue).NameHost
            $Mobility46Domains -like "*$RemoteAddress*"
        }
    
    if ($Connections) {
        $Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
        foreach ($Conn in $Connections) {
            $Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
            $LogEntry = "[$Timestamp] Suspicious Mobility46 Connection - PID: $($Conn.OwningProcess), Process: $($Process.ProcessName), Remote: $($Conn.RemoteAddress):$($Conn.RemotePort)"
            Add-Content -Path $LogPath -Value $LogEntry
            Write-Host $LogEntry -ForegroundColor Yellow
        }
    }
}

# Run monitoring loop (adjust interval as needed)
while ($true) {
    Log-WebSocketConnections
    Start-Sleep -Seconds 30
}

Mitigation and Response

Given that Mobility46 did not respond to CISA's coordination request, organizations must take immediate independent action to secure their infrastructure.

Immediate Actions (Next 24 Hours)

1. Network Isolation: Disconnect Mobility46 charging stations from the public internet immediately

# Block outbound traffic to Mobility46 from critical networks
iptables -A OUTPUT -p tcp -d mobility46.se -j REJECT
iptables -A OUTPUT -p tcp -d *.mobility46.se -j REJECT


2. **Implement Web Application Firewall Rules**: Block WebSocket connections to Mobility46 endpoints from untrusted networks

3. **Credential Rotation**: If your organization has used any Mobility46 identifiers in other systems, treat them as compromised and rotate immediately

Short-Term Remediation (Next Week)

1. VPN Enforcement: Require VPN access for any remote management of charging infrastructure

# Configure Windows Firewall to require VPN for Mobility46 management access
New-NetFirewallRule -DisplayName "Block Mobility46 Direct Access" 
    -Direction Outbound -RemoteAddress "mobility46.se" -Action Block
New-NetFirewallRule -DisplayName "Allow Mobility46 via VPN" 
    -Direction Outbound -RemoteAddress "mobility46.se" -InterfaceType "RemoteAccess" -Action Allow


2. **Network Segmentation**: Move all charging station management networks to isolated VLANs with strict firewall rules

3. **Monitoring Deployment**: Implement the detection queries provided above with immediate alerting thresholds

Long-Term Strategy

1. Vendor Assessment: Evaluate alternative EV charging management platforms with robust security architectures
2. Security Requirements: Update procurement requirements to mandate:
   • Mutual TLS authentication for all WebSocket connections
   • Rate limiting on all API endpoints
   • Cryptographically secure session identifiers
   • Credential protection standards
3. Red Team Testing: Conduct regular penetration testing of charging infrastructure using methodologies that specifically target OCPP and EV charging protocols

Executive Takeaways

• Critical Risk: The combination of authentication bypass (CVE-2026-27028) and session hijacking (CVE-2026-27647) represents a critical security failure that cannot be mitigated without vendor cooperation or infrastructure replacement
• Supply Chain Concerns: Mobility46's lack of response to CISA coordination underscores the importance of vendor security posture in procurement decisions for critical infrastructure
• Broader Implications: These vulnerabilities likely exist in other EV charging platforms—organizations should conduct immediate security assessments of all connected charging infrastructure
• Energy Grid Risk: Compromised EV chargers aren't just a consumer inconvenience—they represent a potential attack vector against the broader electrical grid

For organizations requiring assistance with vulnerability assessment, threat hunting, or incident response related to these Mobility46 vulnerabilities, Security Arsenal's Managed SOC team is standing by to provide expert guidance.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub