Critical Vulnerabilities in SWITCH EV Charging Platform Allow Station Impersonation
Take action: Make sure your SWITCH EV station management is isolated from the internet and behind a firewall or VPN. Since the vendor has not released a patch that's your only defense until the vendor does something or you replace these systems.
Learn More
CISA reports multiple vulnerabilities in the SWITCH EV electric vehicle charging platform. These flaws affect all versions of the swtchenergy.com platform and could lead to large-scale service disruptions in the energy and transportation sectors.
Vulnerabilities summary:
- CVE-2026-27767 (CVSS score 9.4) - A missing authentication vulnerability in WebSocket endpoints that allows unauthenticated attackers to connect to the OCPP interface. By using a discovered charging station identifier, an attacker can impersonate a legitimate charger to issue commands or manipulate data sent to the backend. This flaw effectively grants unauthorized control over the charging infrastructure without requiring any credentials.
- CVE-2026-25113 (CVSS score 7.5) - An improper restriction of excessive authentication attempts in the WebSocket API that lacks rate-limiting controls. Attackers can use this to run brute-force attacks or launch denial-of-service campaigns by suppressing legitimate telemetry data from chargers. This mechanism allows a malicious actor to overwhelm the system and misroute traffic.
- CVE-2026-25778 (CVSS score 7.3) - An insufficient session expiration flaw where the backend allows multiple connections to use the same session identifier. Attackers can exploit this session shadowing to displace a legitimate charging station's connection and receive commands intended for that station. This predictable session management lets unauthorized users hijack active sessions or cause a denial-of-service by flooding the backend with valid requests.
- CVE-2026-27773 (CVSS score 6.5) - An insufficiently protected credentials vulnerability where charging station authentication identifiers are publicly accessible on web-based mapping platforms. Attackers can harvest these identifiers to facilitate the impersonation attacks described in other CVEs.
Malicious actors can hijack sessions to gain unauthorized access to user data or manipulate operational parameters of the charging stations.
The vulnerabilities impact all versions of the SWITCH EV swtchenergy.com platform. SWITCH EV has not yet responded to CISA's coordination requests regarding these findings. There are no official vendor patches available at this time to address the underlying code flaws.
Organizations must implement strict network security measures to protect their charging assets. CISA recommends isolating control system networks from the internet and placing them behind firewalls. If remote access is necessary, administrators should use secure VPNs.
