Do Son 
Electric vehicles are rapidly becoming the new standard on our roads, but the infrastructure powering them is facing a serious new digital threat. The Cybersecurity and Infrastructure Security Agency (CISA) has released a critical Industrial Control Systems (ICS) advisory regarding severe vulnerabilities discovered in the EV2GO charging platform.
Released on February 26, 2026, the alert (ICSA-26-057-04) highlights a chain of security flaws that could give cybercriminals alarming control over electric vehicle charging networks. As EV adoption accelerates, securing these public and private charging hubs is just as vital as securing the power grid itself.
The core issue centers around how these charging stations communicate and authenticate with their central networks. According to the official CISA advisory, “Successful exploitation of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend”.
The advisory explicitly states that the entire product line is currently impacted. The specific vulnerabilities tracked in this disclosure include:
- CVE-2026-24731 (CVSS 9.4): WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
- CVE-2026-25945 (CVSS 7.5): The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
- CVE-2026-20895 (CVSS 7.3): The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
- CVE-2026-22890 (CVSS 6.5): Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Because these stations bridge the gap between consumer technology, the automotive industry, and the municipal power grid, they represent a highly attractive target for cybercriminals.
Operators of EV2GO charging networks and infrastructure defenders must prioritize reviewing the CISA advisory to protect both the power grid and the everyday drivers relying on a safe, consistent charge.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
