What is the most critical vulnerability in the EV2GO platform?

The most critical flaw is CVE-2026-24731, which has a CVSS score of 9.4. It allows unauthenticated attackers to impersonate charging stations and manipulate backend data.

Are there any patches available for these EV2GO vulnerabilities?

No, the vendor did not respond to CISA's coordination requests, and there are currently no official patches for any version of the platform.

How do attackers obtain the credentials needed for exploitation?

Attackers can find charging station authentication identifiers on public web-mapping platforms due to an information disclosure vulnerability tracked as CVE-2026-22890.

What is session shadowing in the context of these flaws?

Session shadowing, related to CVE-2026-20895, occurs when the backend allows multiple connections to use the same session ID, letting an attacker displace a legitimate station.

What remediation steps should organizations take?

Organizations should isolate charging infrastructure from the public internet, use firewalls, and implement secure VPNs for any necessary remote access.

Advisory

Multiple Vulnerabilities Reported in EV2GO Charging Platform

published: Feb. 27, 2026

Take action: Make sure your EV2GO station management is isolated from the internet and behind a firewall or VPN. Since the vendor has not released a patch that's your only defense until the vendor does something or you replace these systems.

Learn More

CISA reports multiple flaws in EV2GO, a United Kingdom-based electric vehicle charging platform that allow attackers to hijack charging sessions and manipulate backend data.

Vulnerabilities summary:

CVE-2026-24731 (CVSS score 9.4) - A missing authentication vulnerability in WebSocket endpoints that allows unauthenticated attackers to connect to the OCPP interface. By using a discovered charging station identifier, an attacker can impersonate a legitimate charger to issue commands or corrupt backend data. This bypasses all access controls, leading to unauthorized control of the charging infrastructure.
CVE-2026-25945 (CVSS score 7.5) - An improper restriction of excessive authentication attempts within the WebSocket API. The lack of rate limiting allows attackers to flood the system with requests, suppressing legitimate telemetry or conducting brute-force attacks. This mechanism can result in a large-scale denial-of-service (DoS) by misrouting traffic.
CVE-2026-20895 (CVSS score 7.3) - An insufficient session expiration flaw where the backend allows multiple endpoints to use the same predictable session identifier. Attackers can perform session shadowing, where a new connection displaces the legitimate station to intercept backend commands. This allows unauthorized users to maintain persistent control over active charging sessions.
CVE-2026-22890 (CVSS score 6.5) - An information disclosure vulnerability where charging station authentication identifiers are exposed on public web-mapping platforms. Attackers can harvest these credentials to facilitate the exploitation of the other WebSocket-based flaws.

All versions of the EV2GO ev2go.io platform are currently considered affected. CISA reported that the vendor, EV2GO, did not respond to requests for coordination regarding these vulnerabilities. There are no official patches available at this time, leaving the global deployment of these systems vulnerable to exploitation.

Since no vendor fix exists, administrators must implement network isolation to protect their charging infrastructure. CISA recommends placing all control systems behind firewalls and ensuring they are not accessible from the public internet. If remote access is necessary, use updated Virtual Private Networks (VPNs).

Multiple Vulnerabilities Reported in EV2GO Charging Platform

Read More
Armis Labs reports multiple vulnerabilities in Copeland refrigeration …
Multiple vulnerabilities reported in METZ CONNECT EWIO2 Industrial …
Siemens reports multiple flaws in PSS SINCAL
CISA reports critical vulnerability in SDG PnPSCADA
Critical authentication bypass flaw reported in Dover ProGauge …