{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cloudcharge.se/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cloudcharge.se"],"_cs_severities":["critical"],"_cs_tags":["cloudcharge","ics","vulnerability","dos"],"_cs_type":"advisory","_cs_vendors":["CloudCharge"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in CloudCharge cloudcharge.se, a charging station management platform. These vulnerabilities, including CVE-2026-20781, CVE-2026-25114, CVE-2026-27652, and CVE-2026-20733, could allow attackers to compromise charging stations and backend systems. Specifically, the lack of proper authentication and session management in the WebSocket API enables unauthorized access and control. Given that the vulnerable software is used within the Energy and Transportation Systems sectors worldwide, successful exploitation could disrupt critical infrastructure. The vendor has not responded to coordination requests.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a publicly accessible charging station identifier via web-based mapping platforms (CVE-2026-20733).\u003c/li\u003e\n\u003cli\u003eThe attacker connects to the OCPP WebSocket endpoint of a CloudCharge charging station using the discovered identifier (CVE-2026-20781).\u003c/li\u003e\n\u003cli\u003eDue to the missing authentication mechanisms, the attacker successfully impersonates a legitimate charger (CVE-2026-20781).\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the lack of rate limiting and floods the authentication endpoint with requests, causing a denial-of-service condition by suppressing legitimate charger telemetry (CVE-2026-25114).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits the predictable session identifiers and attempts to hijack an existing charging session (CVE-2026-27652).\u003c/li\u003e\n\u003cli\u003eThe attacker sends malicious OCPP commands to manipulate charging processes or corrupt charging network data reported to the backend (CVE-2026-20781).\u003c/li\u003e\n\u003cli\u003eThe attacker displaces the legitimate charging station's connection, receiving backend commands intended for the original station (CVE-2026-27652).\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is to disrupt charging services, manipulate billing information, or gain persistent access to the charging infrastructure backend.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could have significant consequences, particularly in the Energy and Transportation Systems sectors. Attackers could disrupt electric vehicle charging services, leading to widespread outages and transportation delays. Compromised charging stations could be used to manipulate billing information, causing financial losses for both customers and charging station operators. A large-scale denial-of-service attack could overwhelm the CloudCharge backend, rendering entire charging networks inoperable. Given the worldwide deployment of CloudCharge, the impact could be felt across multiple countries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections to the CloudCharge infrastructure for suspicious WebSocket traffic originating from unexpected sources, using the \u003ccode\u003eDetect Suspicious CloudCharge WebSocket Connection\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on authentication requests to the CloudCharge WebSocket API to mitigate denial-of-service attempts, referencing the information about CVE-2026-25114.\u003c/li\u003e\n\u003cli\u003eMonitor logs for multiple connections using the same charging station identifier, indicating potential session hijacking attempts, using the \u003ccode\u003eDetect CloudCharge Session Hijacking\u003c/code\u003e Sigma rule and the context for CVE-2026-27652.\u003c/li\u003e\n\u003cli\u003eReview and restrict access to web-based mapping platforms that may expose charging station authentication identifiers, mitigating the risk associated with CVE-2026-20733.\u003c/li\u003e\n\u003cli\u003eContact CloudCharge directly via their support page (\u003ca href=\"https://cloudcharge.tech/support/contact/\"\u003ehttps://cloudcharge.tech/support/contact/\u003c/a\u003e) to inquire about available patches or mitigations for CVE-2026-20781, CVE-2026-25114, CVE-2026-27652, and CVE-2026-20733.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-13T12:00:00Z","date_published":"2026-06-13T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2026-06-cloudcharge-vulns/","summary":"Multiple vulnerabilities in CloudCharge cloudcharge.se allow attackers to impersonate charging stations, hijack sessions, cause denial of service, and manipulate backend data, impacting energy and transportation sectors.","title":"CloudCharge Vulnerabilities Allow Charging Station Impersonation and DoS","url":"https://feed.craftedsignal.io/briefs/2026-06-cloudcharge-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed - Cloudcharge.se","version":"https://jsonfeed.org/version/1.1"}