---
title: "Critical Flaws in EV Charging Stations Expose Global Energy Networks to Hackers"
short_title: "Critical EV charging station vulnerabilities exposed"
description: "Four zero-day vulnerabilities in EV Energy ev.energy charging stations allow unauthorized control and DoS attacks. Learn mitigation steps now."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [ev-charging, cve-2026-27772, cybersecurity, energy-sector, vulnerability]
score: 0.92
cve_ids: [CVE-2026-27772, CVE-2026-24445, CVE-2026-26290, CVE-2026-25774]
---
TL;DR
Four critical vulnerabilities in EV Energy’s ev.energy charging stations could allow attackers to gain unauthorized administrative control, disrupt charging services, or launch denial-of-service (DoS) attacks. Affecting global energy and transportation sectors, these flaws highlight urgent security gaps in critical infrastructure. No patches are available yet, as the vendor has not responded to coordination requests.
---
Main Content
Introduction
The rapid expansion of electric vehicle (EV) charging infrastructure has introduced new cybersecurity risks, with critical vulnerabilities now threatening the global energy sector. Researchers have uncovered four zero-day flaws in EV Energy’s ev.energy charging stations, which could enable attackers to hijack administrative controls, manipulate charging data, or disrupt services via DoS attacks. These vulnerabilities, assigned CVSS scores as high as 9.4, expose gaps in authentication, session management, and credential protection—posing severe risks to energy and transportation systems worldwide.
---
Key Points
- Four critical vulnerabilities (CVE-2026-27772, CVE-2026-24445, CVE-2026-26290, CVE-2026-25774) affect all versions of EV Energy’s ev.energy charging stations.
- Unauthenticated attackers can exploit these flaws to gain administrative control, impersonate charging stations, or launch DoS attacks.
- No patches are available yet, as EV Energy has not responded to CISA’s coordination requests.
- The vulnerabilities impact global energy and transportation sectors, with charging stations deployed worldwide.
- Mitigation strategies include isolating control systems, using VPNs for remote access, and monitoring for suspicious activity.
---
Technical Details
#### 1. Missing Authentication for Critical Functions (CVE-2026-27772 – CVSS 9.4)
- WebSocket endpoints in ev.energy charging stations lack proper authentication, allowing attackers to impersonate legitimate charging stations.
- An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier and issue unauthorized commands.
- Impact: Privilege escalation, unauthorized control of charging infrastructure, and data corruption in backend systems.
#### 2. Improper Restriction of Excessive Authentication Attempts (CVE-2026-24445 – CVSS 7.5)
- The WebSocket API lacks rate-limiting mechanisms, enabling attackers to conduct brute-force attacks or DoS attacks.
- Impact: Suppression or misrouting of legitimate charger telemetry, leading to service disruptions.
#### 3. Insufficient Session Expiration (CVE-2026-26290 – CVSS 7.3)
- The backend system allows multiple connections using the same session identifier, leading to predictable session IDs.
- Impact: Session hijacking, shadowing of legitimate charging stations, and DoS conditions caused by overwhelming the backend with valid session requests.
#### 4. Insufficiently Protected Credentials (CVE-2026-25774 – CVSS 6.5)
- Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
- Impact: Unauthorized access to charging stations, enabling data manipulation or service disruption.
---
Impact Assessment
The vulnerabilities in EV Energy’s ev.energy charging stations pose severe risks to critical infrastructure, including:
- Energy Sector: Unauthorized control of charging stations could disrupt power grid stability or enable energy theft.
- Transportation Systems: DoS attacks could render charging stations inoperable, stranding EV users and disrupting public and private transportation.
- Data Integrity: Attackers could manipulate charging data, leading to financial losses or false reporting of energy consumption.
- Global Reach: With charging stations deployed worldwide, these flaws could have far-reaching consequences for governments, businesses, and consumers.
---
Attack Vector
Attackers can exploit these vulnerabilities through:
- Unauthenticated access to WebSocket endpoints (CVE-2026-27772).
- Brute-force attacks on authentication systems (CVE-2026-24445).
- Session hijacking via predictable session identifiers (CVE-2026-26290).
- Publicly exposed credentials on mapping platforms (CVE-2026-25774).
---
Mitigation Steps
CISA recommends the following defensive measures to minimize exploitation risks:
1. Isolate Control Systems: Ensure charging stations are not accessible from the internet and are segmented from business networks.
2. Use Secure Remote Access: Employ Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
3. Monitor for Suspicious Activity: Implement intrusion detection systems (IDS) to identify and respond to unauthorized access attempts.
4. Apply Vendor Updates: Once available, patch affected systems immediately to mitigate vulnerabilities.
5. Conduct Risk Assessments: Perform impact analysis and risk assessments before deploying defensive measures.
For additional guidance, refer to CISA’s [ICS Cybersecurity Best Practices](https://www.cisa.gov/ics) and [Defense-in-Depth Strategies](https://www.cisa.gov/resources-tools/resources/improving-industrial-control-systems-cybersecurity-defense-depth-strategies).
---
Conclusion
The discovery of these four critical vulnerabilities in EV Energy’s ev.energy charging stations underscores the urgent need for robust cybersecurity measures in critical infrastructure. With no patches available and the vendor unresponsive, organizations must proactively implement mitigation strategies to protect against unauthorized access, data manipulation, and service disruptions. As the EV charging ecosystem expands, securing these systems is paramount to safeguarding energy and transportation networks worldwide.
---
References
[^1]: CISA. "[ICSA-26-057-07 EV Energy ev.energy](https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07)". Retrieved 2024-10-02.
[^2]: NIST. "[CVE-2026-27772 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-27772)". Retrieved 2024-10-02.
[^3]: MITRE. "[CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)". Retrieved 2024-10-02.