Ev2go — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/ev2go/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 27 Feb 2026 10:00:00 +0000EV2GO Charging Station Vulnerabilities Allow Impersonation and Denial of Servicehttps://feed.craftedsignal.io/briefs/2026-02-ev2go-vulns/Fri, 27 Feb 2026 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-ev2go-vulns/Multiple vulnerabilities in EV2GO charging stations, including missing authentication and session management flaws, could allow attackers to impersonate stations, hijack sessions, and cause denial-of-service conditions.Multiple vulnerabilities have been discovered in EV2GO ev2go.io charging stations. These vulnerabilities, identified as CVE-2026-24731, CVE-2026-25945, CVE-2026-20895, and CVE-2026-22890, relate to missing authentication for critical functions, improper restriction of excessive authentication attempts, insufficient session expiration, and insufficiently protected credentials. Successful exploitation of these flaws could enable attackers to impersonate charging stations, hijack legitimate user sessions, suppress or misroute traffic, potentially leading to a large-scale denial-of-service (DoS) attack. These vulnerabilities affect all versions of ev2go.io and impact critical infrastructure sectors such as energy and transportation systems globally. The lack of vendor response to reported vulnerabilities further exacerbates the risk.

Attack Chain

  1. Attacker identifies a valid charging station identifier using publicly accessible mapping platforms, exploiting CVE-2026-22890.
  2. Attacker connects to the OCPP WebSocket endpoint of a charging station without proper authentication, leveraging CVE-2026-24731.
  3. Attacker issues unauthorized OCPP commands to the backend as a legitimate charger, due to the missing authentication mechanisms (CVE-2026-24731).
  4. Attacker attempts multiple authentication requests without any rate limiting, potentially leading to a denial-of-service (DoS) by overwhelming the backend (CVE-2026-25945).
  5. Attacker hijacks or shadows existing sessions due to predictable session identifiers and the ability for multiple endpoints to connect using the same identifier (CVE-2026-20895).
  6. Legitimate charging station is displaced, and the attacker receives backend commands intended for the original station (CVE-2026-20895).
  7. Attacker manipulates charging station operations or charging network data reported to the backend.
  8. Final objective: Cause disruption of charging services for users, corrupt charging network data, or potentially gain control of the charging infrastructure.

Impact

Successful exploitation of these vulnerabilities could have significant consequences. An attacker can disrupt charging services, leading to stranded electric vehicles and customer dissatisfaction. Data manipulation could result in incorrect billing or inaccurate reporting. A large-scale denial-of-service attack could impact entire charging networks, affecting energy distribution and transportation systems. Given the widespread deployment of EV2GO charging stations worldwide, a successful attack could affect a large number of users and critical infrastructure.

Recommendation

  • Monitor network traffic for connections to ev2go.io that do not originate from known, authorized charging stations.
  • Implement rate limiting on authentication attempts to the OCPP WebSocket API to mitigate CVE-2026-25945.
  • Deploy the Sigma rule “Detect Unauthorized OCPP Connection” to identify potential station impersonation attempts based on CVE-2026-24731.
  • Monitor for unexpected OCPP commands being issued from charging stations that are not aligned with normal operation to detect malicious manipulation of charging infrastructure, as described in CVE-2026-24731.
  • Contact EV2GO at https://ev2go.io/ for information on patching or mitigating these vulnerabilities.
]]>criticaladvisoryev2gocharging-stationvulnerabilitydenial-of-service