Ddos 
Cybersecurity researchers have sounded the alarm on a series of critical vulnerabilities affecting Everon OCPP Backends, the digital infrastructure used to manage electric vehicle (EV) charging stations. The flaws could have allowed attackers to hijack charging sessions, manipulate infrastructure data, or knock entire charging networks offline.
The vulnerabilities impact the api.everon.io platform across all versions.
The most severe issue, tracked as CVE-2026-26288, carries a CVSS score of 9.4. The vulnerability stems from a total lack of proper authentication mechanisms on WebSocket endpoints.
An unauthenticated attacker could connect to the backend using any known or discovered charging station identifier. Once connected, the attacker can issue or receive Open Charge Point Protocol (OCPP) commands as if they were a legitimate charger. This leads to unauthorized control of charging infrastructure, privilege escalation, and the corruption of reporting data.
Three additional vulnerabilities were identified that further compromised the security of the charging grid:
- CVE-2026-24696 (CVSS 7.5): The API lacked restrictions on the number of authentication requests. This absence of rate limiting allowed for brute-force attacks or Denial-of-Service (DoS) conditions by suppressing legitimate telemetry.
- CVE-2026-20748 (CVSS 7.3): The system allowed multiple endpoints to connect using the same session identifier, leading to “session hijacking” or “shadowing”. In this scenario, a malicious connection could displace a legitimate charger and receive backend commands intended for that station.
- CVE-2026-27027 (CVSS 6.5): Making matters worse, researchers found that charging station authentication identifiers were publicly accessible via web-based mapping platforms, providing attackers with the keys needed to launch the impersonation attacks mentioned above.
In a rare and definitive response to these systemic security risks, the solution was not a patch, but a complete decommissioning of the service. Everon officially shut down the affected platform on December 1st, 2025, effectively neutralizing the threat to the EV charging ecosystem.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
