---
title: "Critical Vulnerabilities in EV2GO Charging Stations Expose Global Energy Infrastructure"
short_title: "EV2GO charging stations face critical security flaws"
description: "Four critical vulnerabilities in EV2GO ev2go.io charging stations could allow attackers to hijack sessions, cause denial-of-service, and manipulate backend data. Patch now."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [ev2go, cve-2026-24731, cve-2026-25945, cybersecurity, energy-sector]
score: 0.92
cve_ids: [CVE-2026-24731, CVE-2026-25945, CVE-2026-20895, CVE-2026-22890]
---
TL;DR
Four critical vulnerabilities in EV2GO ev2go.io electric vehicle (EV) charging stations could allow attackers to impersonate charging stations, hijack sessions, manipulate backend data, and cause large-scale denial-of-service (DoS) attacks. These flaws affect all versions of the platform and pose severe risks to global energy and transportation infrastructure. EV2GO has not responded to coordination efforts, leaving users exposed.
---
Main Content
Introduction
The global shift toward electric vehicles (EVs) has accelerated the deployment of charging infrastructure worldwide. However, this rapid expansion has introduced new cybersecurity risks. EV2GO, a prominent provider of EV charging solutions, has been found to harbor four critical vulnerabilities in its ev2go.io platform. These flaws could enable attackers to disrupt energy grids, manipulate charging data, and compromise user safety.
If exploited, these vulnerabilities could have far-reaching consequences for critical infrastructure sectors, including energy and transportation systems. This article explores the technical details, potential impact, and recommended mitigation strategies.
---
Key Points
- Four critical vulnerabilities (CVE-2026-24731, CVE-2026-25945, CVE-2026-20895, CVE-2026-22890) affect all versions of EV2GO’s ev2go.io platform.
- Successful exploitation could allow attackers to:
- Impersonate charging stations and manipulate backend data.
- Hijack sessions and displace legitimate connections.
- Cause large-scale denial-of-service (DoS) attacks by suppressing or misrouting traffic.
- Access publicly exposed charging station identifiers via web-based mapping platforms.
- EV2GO has not responded to CISA’s coordination requests, leaving users without official patches.
- Critical infrastructure sectors, including energy and transportation, are at risk.
---
Technical Details
#### 1. Missing Authentication for Critical Functions (CVE-2026-24731)
- CVSS Score: 9.4 (Critical)
- CWE: [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)
- Description: The WebSocket endpoints in EV2GO’s platform lack proper authentication mechanisms. Attackers can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier and issue or receive OCPP commands as a legitimate charger.
- Impact: This flaw enables privilege escalation, unauthorized control of charging infrastructure, and corruption of backend data.
#### 2. Improper Restriction of Excessive Authentication Attempts (CVE-2026-25945)
- CVSS Score: 7.5 (High)
- CWE: [CWE-307: Improper Restriction of Excessive Authentication Attempts](https://cwe.mitre.org/data/definitions/307.html)
- Description: The WebSocket API lacks rate-limiting on authentication requests, allowing attackers to conduct brute-force attacks or DoS attacks by suppressing legitimate charger telemetry.
- Impact: Attackers can disrupt operations, misroute traffic, or gain unauthorized access to the system.
#### 3. Insufficient Session Expiration (CVE-2026-20895)
- CVSS Score: 7.3 (High)
- CWE: [CWE-613: Insufficient Session Expiration](https://cwe.mitre.org/data/definitions/613.html)
- Description: The platform uses charging station identifiers to associate sessions but allows multiple endpoints to connect using the same identifier. This enables session hijacking or shadowing, where the most recent connection displaces the legitimate station.
- Impact: Attackers can authenticate as other users, cause DoS conditions, or intercept backend commands.
#### 4. Insufficiently Protected Credentials (CVE-2026-22890)
- CVSS Score: 6.5 (Medium)
- CWE: [CWE-522: Insufficiently Protected Credentials](https://cwe.mitre.org/data/definitions/522.html)
- Description: Charging station authentication identifiers are publicly accessible via web-based mapping platforms, exposing them to potential attackers.
- Impact: Attackers can exploit exposed credentials to gain unauthorized access to the system.
---
Impact Assessment
The vulnerabilities in EV2GO’s ev2go.io platform pose severe risks to critical infrastructure sectors, including:
- Energy Sector: Disruption of charging services could destabilize local energy grids, particularly in regions with high EV adoption.
- Transportation Systems: Attackers could disable charging stations, leading to operational downtime for electric vehicles, including public transport and logistics fleets.
- Data Integrity: Manipulation of backend data could compromise billing systems, user privacy, and operational logs.
- Denial-of-Service (DoS): Large-scale DoS attacks could cripple charging networks, causing widespread inconvenience and economic loss.
Given the global deployment of EV2GO’s platform, these vulnerabilities could have international ramifications, affecting millions of users and businesses.
---
Mitigation Steps
While EV2GO has not responded to CISA’s coordination efforts, organizations and users can take the following steps to minimize risks:
1. Network Segmentation:
- Isolate charging stations from business networks using firewalls.
- Ensure control system devices are not accessible from the Internet.
2. Secure Remote Access:
- Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
- Recognize that VPNs are only as secure as the connected devices.
3. Monitor for Malicious Activity:
- Implement intrusion detection systems (IDS) to monitor for suspicious activity.
- Follow established internal procedures to report and mitigate incidents.
4. Defensive Strategies:
- Adopt CISA’s recommended cybersecurity strategies, including defense-in-depth approaches.
- Review ICS-TIP-12-146-01B for targeted cyber intrusion detection and mitigation strategies.
5. Vendor Coordination:
- Contact EV2GO via their [contact page](https://ev2go.io/) for updates on patches or mitigation guidance.
---
Conclusion
The discovery of four critical vulnerabilities in EV2GO’s ev2go.io platform underscores the growing cybersecurity risks in the EV charging infrastructure. With no official patches available and EV2GO unresponsive to coordination efforts, organizations must act proactively to secure their systems.
These flaws highlight the urgent need for robust cybersecurity measures in critical infrastructure sectors. As the world transitions to electric vehicles, securing charging networks must become a top priority to prevent disruptions, data breaches, and large-scale attacks.
Stay vigilant, implement defensive measures, and monitor for updates from EV2GO and CISA to safeguard your infrastructure.
---
References
[^1]: CISA. "[ICSA-26-057-04 EV2GO ev2go.io](https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04)". Retrieved 2024-10-02.
[^2]: NIST. "[CVE-2026-24731 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-24731)". Retrieved 2024-10-02.
[^3]: MITRE. "[CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)". Retrieved 2024-10-02.
[^4]: EV2GO. "[Contact Page](https://ev2go.io/)". Retrieved 2024-10-02.