Cyber Posture

CVE-2026-24731

Critical

Published: 27 February 2026

Published
27 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0020 41.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…

more

or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Mitigating Controls (NIST 800-53 r5)AI

IA-3 Device Identification and Authentication good match
prevent

Requires identification and authentication of charging station devices before establishing WebSocket connections, directly preventing unauthorized impersonation and command issuance.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for all access to OCPP WebSocket endpoints, blocking unauthenticated manipulation of charging infrastructure data.

AC-17 Remote Access good match
prevent

Authorizes and controls remote access to backend systems via WebSocket, requiring authentication mechanisms to mitigate network-based station impersonation.

Security SummaryAI

CVE-2026-24731 is a high-severity vulnerability (CVSS 9.4, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) in OCPP WebSocket endpoints that lack proper authentication mechanisms, mapped to CWE-306 (Missing Authentication for Critical Function). It affects charging station infrastructure, where the endpoints allow unauthorized station impersonation and manipulation of data sent to backend systems. Published on 2026-02-27, the flaw enables attackers to connect using a known or discovered charging station identifier and issue or receive OCPP commands as a legitimate charger.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no privileges required. By connecting to the exposed OCPP WebSocket endpoint, the attacker can impersonate any station, leading to privilege escalation, unauthorized control over charging infrastructure, and corruption of charging network data reported to the backend.

CISA has issued ICS Advisory ICSA-26-057-04 detailing the vulnerability, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04, along with a corresponding CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json. Additional information is provided by the vendor at https://ev2go.io/. Security practitioners should consult these advisories for mitigation guidance and patch availability.

Details

CWE(s)
CWE-306

Affected Products

ev2go
ev2go.io
all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The vulnerability enables exploitation of a public-facing WebSocket application (T1190), allows impersonation of charging stations (T1656), and leads to privilege escalation from unauthenticated access to unauthorized control (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References