What is the most severe vulnerability in EV Energy's platform?

The most severe is CVE-2026-27772 (CVSS score 9.4), which allows unauthenticated attackers to impersonate charging stations by connecting to WebSocket endpoints without credentials.

Are there any patches available for these vulnerabilities?

No, the vendor did not respond to coordination requests, and there are currently no official patches for any version of the ev.energy software.

How can attackers find targets for these exploits?

Attackers can find charging station identifiers (CVE-2026-25774) through publicly accessible web-based mapping platforms, which they then use to target the WebSocket vulnerabilities.

What is session shadowing in this context?

Session shadowing (CVE-2026-26290) occurs when the backend allows multiple connections to use the same identifier, letting an attacker displace a legitimate station and receive its commands.

What are the recommended mitigations?

CISA recommends isolating charging station networks from the internet, using firewalls, and requiring VPNs for all remote access to the infrastructure.

Advisory

Multiple Vulnerabilities Reported in EV Energy Charging Platform

published: Feb. 26, 2026

Take action: Make sure to isolate EV Energy systems from the public internet and use a VPN for any required remote management. Since the vendor hasn't released a patch, this is your only defense until you replace these systems.

Learn More

CISA reports multiple vulnerabilities in EV Energy, a United Kingdom-based provider of electric vehicle charging software.

Vulnerabilities summary:

CVE-2026-27772 (CVSS score 9.4) - A missing authentication vulnerability in WebSocket endpoints that allows unauthenticated attackers to impersonate charging stations. By connecting to the OCPP WebSocket using a discovered station identifier, an attacker can send and receive commands as a legitimate charger, leading to full infrastructure control.
CVE-2026-24445 (CVSS score 7.5) - An improper restriction of authentication attempts in the WebSocket API that lacks rate limiting. Attackers can use this to run brute-force attacks or launch denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry.
CVE-2026-26290 (CVSS score 7.3) - An insufficient session expiration flaw where the backend allows multiple connections to use the same predictable session identifier. This enables session hijacking or shadowing, where a malicious connection displaces a legitimate station to intercept backend commands.
CVE-2026-25774 (CVSS score 6.5) - An information disclosure issue where charging station authentication identifiers are publicly accessible through web-based mapping platforms. Attackers can use these leaked credentials to facilitate the exploitation of the other WebSocket vulnerabilities.

Successful exploitation allows attackers to gain administrative control over charging networks. By manipulating the Open Charge Point Protocol (OCPP) communications, malicious actors can disrupt charging services, corrupt usage data, and potentially damage physical infrastructure.

All versions of the EV Energy ev.energy platform are currently affected. Because the vendor did not respond to CISA's coordination requests, there are no official software patches available at this time.

Since no vendor fix exists, organizations must use network-level defenses to protect vulnerable charging stations. CISA recommends isolating control system networks from the internet and placing them behind firewalls to prevent direct external access. If remote access is necessary, administrators should use secure VPNs.

Multiple Vulnerabilities Reported in EV Energy Charging Platform

Read More
Hitachi Energy Patches a Blast-RADIUS Flaw in FOX61x
Germany’s CERT@VDE reports critical flaws in mbNET.mini and …
Emerson fixes critical issues in Rosemount Gas Chromatograph
Socomec Modulys GP UPS MOD3GP-SY-120K has critical vulnerabilites, …
Critical flaw reported in end-of-life GeoVision devices, actively …