EV Energy ev.energy

Summary

Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks.

The following versions of EV Energy ev.energy are affected:

ev.energy vers:all/* (CVE-2026-27772, CVE-2026-24445, CVE-2026-26290, CVE-2026-25774)

CVSS	Vendor	Equipment	Vulnerabilities
v3 9.4	EV Energy	EV Energy ev.energy	Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials

Background

Critical Infrastructure Sectors: Energy, Transportation Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United Kingdom

Vulnerabilities

Expand All +

CVE-2026-27772

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

View CVE Details

Affected Products

Vendor:
EV Energy

Product Version:
EV Energy ev.energy: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
EV Energy did not respond to CISA’s request for coordination. Contact EV Energy using their contact page here: https://www.ev.energy/en-us for more information.

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9.4	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE-2026-24445

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.

View CVE Details

Affected Products

EV Energy ev.energy

Vendor:
EV Energy

Product Version:
EV Energy ev.energy: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
EV Energy did not respond to CISA’s request for coordination. Contact EV Energy using their contact page here: https://www.ev.energy/en-us for more information.

Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts

Metrics

CVSS Version[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article:

EV Energy ev.energy

← Copeland XWEB and XWEB Pro

Is Spyware Secretly Hiding on Your Phone? How to Detect It, Remove It, and Prevent It →

EV Energy ev.energy

Summary

Background

Vulnerabilities

CVE-2026-27772

Affected Products

EV Energy ev.energy

Remediations

Metrics

CVE-2026-24445

Affected Products

EV Energy ev.energy

Remediations

Metrics

Read the original article:

Like this:

Related

Summary

Background

Vulnerabilities

CVE-2026-27772

Affected Products

EV Energy ev.energy

Remediations

Metrics

CVE-2026-24445

Affected Products

EV Energy ev.energy

Remediations

Metrics

Read the original article:

Share this:

Like this:

Related

Post navigation