Back to Intelligence

Securing EV Infrastructure: How to Defend Against Everon OCPP Backend Vulnerabilities

SA
Security Arsenal Team
March 16, 2026
5 min read

Introduction

The rapid expansion of Electric Vehicle (EV) infrastructure brings new cybersecurity challenges to the Energy and Transportation sectors. Recently, CISA released an advisory (ICSA-26-062-08) regarding critical vulnerabilities affecting Everon OCPP Backends. These flaws pose a significant risk, potentially allowing attackers to gain unauthorized administrative control over charging stations or disrupt services entirely. For defenders managing Operational Technology (OT) and IoT environments, understanding the risks associated with the Open Charge Point Protocol (OCPP) implementations is essential to maintaining service availability and grid safety.

Technical Analysis

The advisory identifies multiple security weaknesses in the api.everon.io backend, affecting all versions of the Everon OCPP Backends. The aggregate CVSS v3 score is 9.4 (Critical), indicating a high urgency for remediation.

The vulnerabilities primarily stem from weaknesses in identity and access management controls:

  • Missing Authentication for Critical Function (CVE-2026-26288): Specific WebSocket endpoints lack necessary authentication controls, allowing unauthenticated interaction with the backend.
  • Improper Restriction of Excessive Authentication Attempts: The system does not adequately limit login attempts, facilitating brute-force attacks against charging station accounts.
  • Insufficient Session Expiration: User sessions remain active for too long, increasing the risk of session hijacking.
  • Insufficiently Protected Credentials: Credentials may be stored or transmitted in a manner that allows interception or recovery.

Affected Products:

  • Everon OCPP Backends (api.everon.io)
  • Versions: All (vers:all/*)

If exploited, these vulnerabilities could allow threat actors to manipulate charging station settings, halt charging operations (Denial of Service), or potentially pivot into broader energy management networks.

Defensive Monitoring

Defenders should actively monitor network traffic for anomalies associated with the api.everon.io endpoints. Since these vulnerabilities involve authentication bypasses and brute-force attempts, security teams should look for an unusual volume of failed login attempts or successful connections from unexpected IP ranges.

KQL Query for Microsoft Sentinel/Defender

Use the following KQL query to detect potential brute-force activity or suspicious traffic patterns targeting the Everon API endpoints within your network logs or proxy logs.

Script / Code
let TargetDomain = "api.everon.io";
let TimeFrame = 1h;
CommonSecurityLog
| where TimeGenerated > ago(TimeFrame)
| where DestinationUrl contains TargetDomain
// Look for excessive HTTP 401 or 403 responses indicating auth failures
| where StatusCode in (401, 403) 
| summarize Count = count() by SourceIP, DestinationUrl, ApplicationProtocol
| where Count > 10 // Threshold for alerting
| project TimeGenerated, SourceIP, DestinationUrl, Count, ApplicationProtocol
| extend AlertMessage = "High volume of auth failures detected against Everon OCPP Backend"

PowerShell Verification Script

The following PowerShell script can be used by administrators to audit network connections or check for specific DNS resolution patterns within their environment to identify assets communicating with the vulnerable backend.

Script / Code
<#
.SYNOPSIS
    Checks for active connections to api.everon.io
.DESCRIPTION
    This script checks local DNS cache and active connections to identify 
    potential communication with vulnerable Everon OCPP backends.
#>

$TargetHost = "api.everon.io"

Write-Host "Checking DNS resolution for $TargetHost..." -ForegroundColor Cyan
try {
    $dnsResult = Resolve-DnsName -Name $TargetHost -ErrorAction Stop
    Write-Host "[+] Resolution Successful:" -ForegroundColor Green
    $dnsResult | Select-Object Name, Type, IP4Address, IPAddress
}
catch {
    Write-Host "[-] DNS Resolution failed. Host may be unreachable or blocked." -ForegroundColor Yellow
}

Write-Host "Checking recent TCP connections..." -ForegroundColor Cyan
# Get TCP connections that might be related (Port 443/80)
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue |
                Where-Object { $_.RemoteAddress -ne "0.0.0.0" -and $_.RemoteAddress -notlike "127.*" }

if ($connections) {
    $found = $false
    foreach ($conn in $connections) {
        try {
            $remoteHost = [System.Net.Dns]::GetHostEntry($conn.RemoteAddress).HostName
            if ($remoteHost -like "*everon*" -or $remoteHost -eq $TargetHost) {
                Write-Host "[!] Active connection found to: $remoteHost ($($conn.RemoteAddress)): $($conn.RemotePort)" -ForegroundColor Red
                $found = $true
            }
        }
        catch {
            # Ignore reverse lookup failures
        }
    }
    if (-not $found) {
        Write-Host "[No active connections to Everon backends detected currently.]" -ForegroundColor Green
    }
}
else {
    Write-Host "No active TCP connections found." -ForegroundColor Yellow
}

Remediation

Organizations utilizing Everon OCPP Backends must take immediate action to mitigate the risk of unauthorized administrative control.

1. Patch and Update Contact Everon support immediately to apply the latest security patches. Since the advisory affects all/* versions, upgrading to the latest secure firmware is mandatory to resolve CVE-2026-26288 and associated authentication issues.

2. Network Segmentation and Access Control

  • Restrict IP Access: Implement strict firewall rules to ensure that the api.everon.io backend is only accessible from trusted IP addresses used by the charging stations or management network.
  • Isolate OT Networks: Ensure EV charging infrastructure is segmented from the corporate IT network to prevent lateral movement.

3. Enforce Strong Authentication

  • Ensure that the backend is configured to require strong, complex passwords for all administrative and charging station accounts.
  • If available, enforce Multi-Factor Authentication (MFA) for administrative access to the OCPP backend.

4. Review Session Management

  • Configure session timeouts to the shortest allowable duration to minimize the window of opportunity for session hijacking.
  • Ensure that sessions are invalidated immediately after logout.

5. Audit Logs

  • Enable comprehensive logging for all API interactions and authentication attempts. Regularly review these logs for patterns indicative of brute-force attacks or unauthorized access attempts.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectioncritical-infrastructureics-scadacisaev-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action