CISA warns of multiple vulnerabilities in ePower EV charging stations
Take action: Make sure your ePower charging station is isolated from the internet and behind a firewall or VPN. Since the vendor has not released a patch that's your only defense until the vendor does something or you replace these systems.
Learn More
CISA reports multiple vulnerabilities in ePower, an Irish electric vehicle charging provider, at least one critical. The flaws could lead to unauthorized administrative control or denial-of-service attacks to charging services in the energy and transportation sectors.
Vulnerabilities summary:
- CVE-2026-22552 (CVSS score 9.4) - A missing authentication vulnerability in WebSocket endpoints that allows attackers to connect to the OCPP interface. By using a known charging station identifier, an attacker can send and receive commands as a legitimate charger. Allowing attackers to corrupt charging network data reported to the backend.
- CVE-2026-27778 (CVSS score 7.5) - An improper restriction of authentication attempts in the WebSocket API that enables denial-of-service attacks. The lack of rate limiting allows attackers to flood the system with requests, suppress legitimate telemetry and conducting brute-force attacks. This mechanism can result in a large-scale denial-of-service (DoS) by misrouting traffic.
- CVE-2026-24912 (CVSS score 7.3) - An insufficient session expiration flaw where the backend allows multiple endpoints to use the same session identifier. This enables session hijacking or shadowing, where a new connection displaces a legitimate one to intercept backend commands. Attackers can use this to receive sensitive instructions intended for the actual charging station.
- CVE-2026-27770 (CVSS score 6.5) - An information disclosure issue where charging station authentication identifiers are publicly accessible through web-based mapping platforms.
All versions of ePower's charging station software are currently affected. ePower is headquartered in Ireland and its systems are deployed worldwide. CISA notes that the vendor did not respond to coordination requests, meaning official patches are currently unavailable from the manufacturer. This lack of response leaves the equipment vulnerable to any attacker who can find the publicly listed station identifiers.
Since no vendor fix exists, administrators must use network-level defenses to protect vulnerable hardware. CISA recommends isolating charging stations from the internet and placing all control systems behind firewalls. If remote access is necessary, use a secure Virtual Private Network (VPN).
