Security researchers have uncovered a set of critical vulnerabilities in the software that operates electric vehicle charging stations, the most serious of which lets an attacker take administrative control of chargers without needing any password.
The flaws sit in the EVoke Systems Charging Station Management System (CSMS), a cloud platform that EV charging operators use to run fleets of chargers across the energy and transportation sectors worldwide. Researchers Khaled Sarieddine and Mohammad Ali Sayed reported the issues, which were published in a CISA advisory. EVoke says all versions of the platform are affected, and CISA notes no public exploitation of these specific flaws has been reported yet.
How the attack works
The headline bug, CVE-2026-40702 (CVSS 9.4), is a missing-authentication weakness in the WebSocket connections that chargers use to talk to the management platform. Because those endpoints do not verify who is connecting, an attacker can impersonate a charging station, read sensitive data, and perform actions as a trusted device, which can escalate to control over the wider system. Three related issues compound the risk: no limit on authentication attempts (CVE-2026-50176), which enables denial-of-service and brute-force attacks; predictable session identifiers (CVE-2026-54479) that let one user hijack another's session; and charger authentication identifiers that are exposed through public web mapping platforms (CVE-2026-44622).
The underlying problem is the OCPP protocol that chargers and back ends use to communicate. EVoke supports OCPP security profiles 0 through 3, but many legacy chargers in the field only support the weakest profiles, which were deployed before stronger authentication became standard. Some of those devices are no longer supported by their original makers and cannot be upgraded at all.
What you should do
There is no single patch. EVoke says it is working with charger manufacturers to migrate devices to stronger OCPP security profiles (TLS encryption and mutual certificate authentication) and is adding server-side protections: allow-listing known charger IDs, permitting only one active session per charger, monitoring for anomalous connections, and rate-limiting the WebSocket gateway. Operators should keep charging-management systems off the public internet, place them behind firewalls, and use secure remote access such as a VPN.
Charging networks are part of a fast-growing attack surface in operational technology. For context on how state-aligned crews probe this terrain, see our reporting on IRGC-linked CyberAv3ngers targeting industrial controllers across the water, energy, and healthcare sectors.
Indicators
- CVE-2026-40702 (missing authentication, CVSS 9.4)
- CVE-2026-50176 (no rate limiting on authentication)
- CVE-2026-54479 (predictable session identifiers)
- CVE-2026-44622 (exposed charger identifiers)
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.