Do Son 
- Product: EVoke CSMS
- Vulnerabilities: 4 flaws (CVE-2026-40702, CVE-2026-50176, CVE-2026-54479, CVE-2026-44622)
- Highest severity: 9.4 (Critical · CVSSv3)
- Worst impact: Systems Missing Authentication for Critical Function
- Status: No confirmed exploitation yet
- Action: See vendor advisories
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-40702 | 9.4 | Systems Missing Authentication for Critical Function | Not exploited |
| CVE-2026-50176 | 7.5 | Systems Improper Restriction of Excessive Authentication Attempts | Not exploited |
| CVE-2026-54479 | 7.3 | Systems Insufficient Session Expiration | Not exploited |
| CVE-2026-44622 | 6.5 | Systems Insufficiently Protected Credentials | Not exploited |
TL;DR
Four critical security flaws currently impact all versions of the EVoke Systems Charging Station Management System. These EVoke Systems vulnerabilities allow attackers to hijack active sessions and disrupt daily charging operations. Administrators must implement modern authentication profiles immediately to secure these vital networks.
Why It Matters
This management software controls critical infrastructure for electric vehicle charging across multiple locations. An attacker could gain unauthorized administrative control over vulnerable charging stations. Consequently, they could disrupt essential services through targeted denial-of-service attacks. This threat endangers public charging availability and compromises grid stability. Furthermore, malicious actors could steal sensitive operational data from the network.
How the Attack Works
The platform’s primary WebSocket endpoints lack proper authentication checks entirely. Specifically, CVE-2026-40702 allows attackers to impersonate legitimate charging stations with minimal effort. Next, CVE-2026-50176 reveals a dangerous absence of rate limiting on the programming interface. This failure enables automated brute-force attacks against the backend system.
Additionally, CVE-2026-54479 creates highly predictable session identifiers within the application. Multiple endpoints can mistakenly connect using the exact same session ID. Finally, web-based mapping platforms publicly expose charging station authentication identifiers. Attackers combine these issues to completely bypass access controls.
Exploitation Status
Security researchers have not confirmed active exploitation of these flaws in the wild. Similarly, public proof-of-concept exploits do not exist at this time.
Affected Versions
These severe EVoke Systems vulnerabilities affect all deployed versions of the EVoke CSMS software. Every installation requires immediate review.
Patch or Mitigation Steps
EVoke strongly recommends upgrading all chargers to OCPP Security Profile 2 or 3. These updated profiles mandate strict TLS encryption and basic authentication methods. However, some legacy chargers cannot support these modern security standards. Therefore, EVoke is deploying server-side protections to reject unknown charger identifiers.
Furthermore, the platform now restricts active connections to a single session per charger ID. The backend will automatically terminate duplicate sessions to prevent spoofing. EVoke will also implement connection rate limiting at the gateway layer. Additionally, the vendor is developing a lifecycle policy for unsupported legacy chargers. This policy includes risk classification and specific migration planning with site operators. To review the official advisory, visit the CISA advisory page.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
