{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/charging-station/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["electric-vehicle","charging-station","websocket"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSWITCH EV\u0026rsquo;s swtchenergy.com charging stations are affected by multiple vulnerabilities that could allow attackers to gain unauthorized access and disrupt services. These vulnerabilities include missing authentication mechanisms, lack of rate limiting on authentication requests, predictable session identifiers, and publicly accessible authentication identifiers. Successful exploitation could lead to station impersonation, session hijacking, denial-of-service attacks, and manipulation of backend data. The affected product is swtchenergy.com versions all/* . The vendor did not respond to CISA\u0026rsquo;s request for coordination. The charging stations are deployed worldwide in the energy and transportation sectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a charging station ID via public mapping platforms (CVE-2026-27773).\u003c/li\u003e\n\u003cli\u003eAttacker connects to the OCPP WebSocket endpoint of the charging station using the discovered ID (CVE-2026-27767).\u003c/li\u003e\n\u003cli\u003eBecause no authentication is required, the attacker impersonates the charging station.\u003c/li\u003e\n\u003cli\u003eAttacker sends malicious commands to the backend, potentially manipulating charging parameters or data (CVE-2026-27767).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker floods the authentication endpoint with requests, causing a denial-of-service condition by overwhelming the backend (CVE-2026-25113).\u003c/li\u003e\n\u003cli\u003eAttacker hijacks a legitimate session by establishing a new connection using the same session identifier (CVE-2026-25778).\u003c/li\u003e\n\u003cli\u003eThe legitimate charging station is disconnected, and the attacker receives backend commands intended for the legitimate station.\u003c/li\u003e\n\u003cli\u003eAttacker manipulates charging station behavior or data, causing disruption or financial loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could have significant consequences. Attackers could impersonate charging stations, hijack sessions, suppress or misroute traffic to cause large-scale denial-of-service attacks, and manipulate data sent to the backend. This could lead to widespread disruption of EV charging services, financial losses for charging station operators and users, and potential damage to the electrical grid. Given the global deployment of these charging stations in the energy and transportation sectors, the impact could be widespread.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections to OCPP WebSocket endpoints for connections without proper authentication to detect potential station impersonation attempts related to CVE-2026-27767.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on authentication requests to the WebSocket API to mitigate denial-of-service attacks as described in CVE-2026-25113.\u003c/li\u003e\n\u003cli\u003eMonitor for multiple connections using the same session identifier to detect potential session hijacking attempts related to CVE-2026-25778.\u003c/li\u003e\n\u003cli\u003eMonitor for access to swtchenergy.com from unusual or unexpected geolocations.\u003c/li\u003e\n\u003cli\u003eConsult SWITCH EV (swtchenergy.com) for potential mitigations or workarounds, as they did not respond to CISA\u0026rsquo;s request for coordination.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-27T12:00:00Z","date_published":"2026-02-27T12:00:00Z","id":"/briefs/2026-02-switch-ev-vulns/","summary":"Multiple vulnerabilities in SWITCH EV swtchenergy.com charging stations could allow attackers to impersonate stations, hijack sessions, cause denial of service, and manipulate backend data due to missing authentication, rate limiting issues, session expiration flaws, and exposed credentials.","title":"Multiple Vulnerabilities in SWITCH EV Charging Stations","url":"https://feed.craftedsignal.io/briefs/2026-02-switch-ev-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["mobility46","charging-station","vulnerability","ics"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMobility46 charging stations are affected by multiple vulnerabilities that could allow attackers to gain unauthorized administrative control or disrupt charging services. These vulnerabilities, identified in all versions of mobility46.se, include missing authentication for critical functions (CVE-2026-27028), improper restriction of excessive authentication attempts (CVE-2026-26305), insufficient session expiration (CVE-2026-27647), and insufficiently protected credentials (CVE-2026-22878). Exploitation could lead to privilege escalation, unauthorized control of charging infrastructure, corruption of charging network data, and denial-of-service conditions. Mobility46 did not respond to CISA\u0026rsquo;s request for coordination. These charging stations are deployed worldwide across the energy and transportation sectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Mobility46 charging station\u0026rsquo;s identifier via publicly accessible web-based mapping platforms due to insufficient credential protection (CVE-2026-22878).\u003c/li\u003e\n\u003cli\u003eAttacker connects to the charging station\u0026rsquo;s OCPP WebSocket endpoint using the discovered charging station identifier, exploiting the lack of authentication mechanisms (CVE-2026-27028).\u003c/li\u003e\n\u003cli\u003eAttacker issues unauthorized OCPP commands to the charging station, impersonating a legitimate charger due to missing authentication for critical functions (CVE-2026-27028).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker overwhelms the WebSocket API with authentication requests, exploiting the lack of rate limiting and causing a denial-of-service condition (CVE-2026-26305).\u003c/li\u003e\n\u003cli\u003eAttacker hijacks or shadows a legitimate charging station session by establishing a new connection using the same session identifier, as multiple endpoints are allowed per session (CVE-2026-27647).\u003c/li\u003e\n\u003cli\u003eThe attacker receives backend commands intended for the legitimate charging station, gaining unauthorized control (CVE-2026-27647).\u003c/li\u003e\n\u003cli\u003eAttacker manipulates charging parameters, disrupts charging services, or corrupts charging network data reported to the backend.\u003c/li\u003e\n\u003cli\u003eThe final objective is to gain unauthorized control of charging infrastructure and disrupt charging services or cause financial and reputational damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations, leading to manipulation of charging parameters and disruption of services. Organizations in the energy and transportation sectors are affected worldwide. The lack of authentication and session management could allow attackers to cause denial-of-service conditions, potentially affecting numerous charging stations simultaneously. This could lead to significant financial losses, reputational damage, and disruption of critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections for unusual WebSocket traffic patterns originating from or directed towards the domain mobility46.se to detect potential exploitation attempts (IOC: mobility46.se).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated WebSocket Connection to Mobility46 Charging Station\u0026rdquo; to identify connections lacking proper authentication. Enable network connection logging for WebSocket traffic (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eApply rate limiting measures to the WebSocket API endpoints to mitigate potential denial-of-service attacks resulting from excessive authentication attempts as described in CVE-2026-26305.\u003c/li\u003e\n\u003cli\u003eImplement robust authentication mechanisms for all WebSocket endpoints to prevent unauthorized station impersonation and data manipulation, addressing CVE-2026-27028.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate the exposure of charging station authentication identifiers on web-based mapping platforms to prevent unauthorized access, addressing CVE-2026-22878.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-27T12:00:00Z","date_published":"2026-02-27T12:00:00Z","id":"/briefs/2026-02-mobility46-vulns/","summary":"Multiple vulnerabilities in Mobility46 charging stations allow attackers to gain unauthorized administrative control or disrupt charging services through missing authentication, improper authentication restrictions, insufficient session expiration, and exposed credentials.","title":"Mobility46 Charging Station Vulnerabilities Allow Unauthorized Control and Disruption","url":"https://feed.craftedsignal.io/briefs/2026-02-mobility46-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ev2go","charging-station","vulnerability","denial-of-service"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been discovered in EV2GO ev2go.io charging stations. These vulnerabilities, identified as CVE-2026-24731, CVE-2026-25945, CVE-2026-20895, and CVE-2026-22890, relate to missing authentication for critical functions, improper restriction of excessive authentication attempts, insufficient session expiration, and insufficiently protected credentials. Successful exploitation of these flaws could enable attackers to impersonate charging stations, hijack legitimate user sessions, suppress or misroute traffic, potentially leading to a large-scale denial-of-service (DoS) attack. These vulnerabilities affect all versions of ev2go.io and impact critical infrastructure sectors such as energy and transportation systems globally. The lack of vendor response to reported vulnerabilities further exacerbates the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a valid charging station identifier using publicly accessible mapping platforms, exploiting CVE-2026-22890.\u003c/li\u003e\n\u003cli\u003eAttacker connects to the OCPP WebSocket endpoint of a charging station without proper authentication, leveraging CVE-2026-24731.\u003c/li\u003e\n\u003cli\u003eAttacker issues unauthorized OCPP commands to the backend as a legitimate charger, due to the missing authentication mechanisms (CVE-2026-24731).\u003c/li\u003e\n\u003cli\u003eAttacker attempts multiple authentication requests without any rate limiting, potentially leading to a denial-of-service (DoS) by overwhelming the backend (CVE-2026-25945).\u003c/li\u003e\n\u003cli\u003eAttacker hijacks or shadows existing sessions due to predictable session identifiers and the ability for multiple endpoints to connect using the same identifier (CVE-2026-20895).\u003c/li\u003e\n\u003cli\u003eLegitimate charging station is displaced, and the attacker receives backend commands intended for the original station (CVE-2026-20895).\u003c/li\u003e\n\u003cli\u003eAttacker manipulates charging station operations or charging network data reported to the backend.\u003c/li\u003e\n\u003cli\u003eFinal objective: Cause disruption of charging services for users, corrupt charging network data, or potentially gain control of the charging infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could have significant consequences. An attacker can disrupt charging services, leading to stranded electric vehicles and customer dissatisfaction. Data manipulation could result in incorrect billing or inaccurate reporting. A large-scale denial-of-service attack could impact entire charging networks, affecting energy distribution and transportation systems. Given the widespread deployment of EV2GO charging stations worldwide, a successful attack could affect a large number of users and critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to \u003ccode\u003eev2go.io\u003c/code\u003e that do not originate from known, authorized charging stations.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on authentication attempts to the OCPP WebSocket API to mitigate CVE-2026-25945.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthorized OCPP Connection\u0026rdquo; to identify potential station impersonation attempts based on CVE-2026-24731.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected OCPP commands being issued from charging stations that are not aligned with normal operation to detect malicious manipulation of charging infrastructure, as described in CVE-2026-24731.\u003c/li\u003e\n\u003cli\u003eContact EV2GO at \u003ca href=\"https://ev2go.io/\"\u003ehttps://ev2go.io/\u003c/a\u003e for information on patching or mitigating these vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-27T10:00:00Z","date_published":"2026-02-27T10:00:00Z","id":"/briefs/2026-02-ev2go-vulns/","summary":"Multiple vulnerabilities in EV2GO charging stations, including missing authentication and session management flaws, could allow attackers to impersonate stations, hijack sessions, and cause denial-of-service conditions.","title":"EV2GO Charging Station Vulnerabilities Allow Impersonation and Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-02-ev2go-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ev.energy","charging-station","ics","vulnerability","dos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in EV Energy ev.energy charging stations, potentially allowing attackers to gain unauthorized administrative control or disrupt charging services. The vulnerabilities, detailed in CISA ICS Advisory ICSA-26-057-07, affect all versions of ev.energy. These vulnerabilities include missing authentication for critical functions (CVE-2026-27772), improper restriction of excessive authentication attempts (CVE-2026-24445), insufficient session expiration (CVE-2026-26290), and insufficiently protected credentials (CVE-2026-25774). Successful exploitation could lead to privilege escalation, unauthorized control of charging infrastructure, and denial-of-service conditions. The affected sectors include Energy and Transportation Systems, with worldwide deployment. The vendor, EV Energy, has not responded to CISA\u0026rsquo;s request for coordination.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e An attacker identifies EV Energy ev.energy charging stations that have publicly accessible authentication identifiers via web-based mapping platforms (CVE-2026-25774).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized WebSocket Connection:\u003c/strong\u003e The attacker connects to the OCPP WebSocket endpoint using a known charging station identifier without proper authentication (CVE-2026-27772).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSession Hijacking:\u003c/strong\u003e The attacker exploits the lack of session expiration and predictable session identifiers to hijack a legitimate charging station\u0026rsquo;s session (CVE-2026-26290).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Manipulation:\u003c/strong\u003e The attacker issues unauthorized OCPP commands, manipulating data sent to the backend and gaining unauthorized control of the charging infrastructure (CVE-2026-27772).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Through unauthorized access and command execution, the attacker escalates privileges to administrative control over the charging station (CVE-2026-27772).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial-of-Service:\u003c/strong\u003e Alternatively, the attacker floods the WebSocket API with excessive authentication requests, causing a denial-of-service condition by suppressing or misrouting legitimate charger telemetry (CVE-2026-24445).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eService Disruption:\u003c/strong\u003e Legitimate users are unable to use the charging stations due to the attacker\u0026rsquo;s control or the denial-of-service condition.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork Data Corruption:\u003c/strong\u003e The attacker manipulates charging network data reported to the backend, potentially impacting billing or grid management systems (CVE-2026-27772).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to significant disruptions in the Energy and Transportation Systems sectors. An attacker could gain administrative control over charging stations, manipulate charging processes, and cause denial-of-service conditions, rendering the stations unusable. The lack of vendor response further exacerbates the risk, leaving users without official patches or mitigation guidance. The compromise of charging network data could also have downstream impacts on billing and grid management systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement rate limiting on WebSocket authentication requests to mitigate CVE-2026-24445, preventing denial-of-service attacks. Monitor network traffic for excessive authentication attempts targeting OCPP WebSocket endpoints, and deploy a custom rule to detect such attempts.\u003c/li\u003e\n\u003cli\u003eDisable or restrict public access to web-based mapping platforms that expose charging station authentication identifiers to mitigate CVE-2026-25774. Conduct regular audits of publicly available information to identify and remove exposed credentials.\u003c/li\u003e\n\u003cli\u003eDeploy network segmentation and firewall rules to minimize network exposure for all charging station devices, as recommended by CISA. This will limit the attack surface and prevent unauthorized access from the Internet.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-26T12:00:00Z","date_published":"2026-02-26T12:00:00Z","id":"/briefs/2026-02-ev-energy-vulns/","summary":"Multiple vulnerabilities exist in EV Energy ev.energy that could allow an attacker to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks.","title":"Multiple Vulnerabilities in EV Energy ev.energy Charging Stations","url":"https://feed.craftedsignal.io/briefs/2026-02-ev-energy-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Charging-Station","version":"https://jsonfeed.org/version/1.1"}