CVE-2026-27772

Published: Feb 27, 2026

Modified: Mar 5, 2026

PUBLISHED

CVSS v3.1

9.4

CRITICAL

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Vendor	Product	Versions
EV Energy	ev.energy	affected `All versions`

Weaknesses (CWE)

CWE-306

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

References

https://www.ev.energy/en-us

https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-07.json

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-27772

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References