CVE-2026-27028

Critical

Published: 27 February 2026

Published

27 February 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0020 41.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…

or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Mitigating Controls (NIST 800-53 r5)AI

IA-3 Device Identification and Authentication good match

prevent

Requires unique identification and authentication of charging station devices before establishing WebSocket connections, directly preventing unauthorized station impersonation.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Mandates identification and documentation of any permitted actions without authentication on OCPP WebSocket endpoints, ensuring critical functions like command issuance require authentication.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations for OCPP WebSocket endpoints, blocking unauthenticated attackers from manipulating data or issuing commands as legitimate chargers.

Security SummaryAI

CVE-2026-27028 is a critical vulnerability in OCPP WebSocket endpoints that lack proper authentication mechanisms, allowing attackers to perform unauthorized station impersonation and manipulate data sent to the backend. Published on 2026-02-27, it affects charging infrastructure components implementing the Open Charge Point Protocol (OCPP), where no authentication is required for connections. Mapped to CWE-306 (Missing Authentication for Critical Function), the issue has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating high confidentiality, integrity, and limited availability impacts.

An unauthenticated attacker can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issuing or receiving OCPP commands as a legitimate charger. This enables privilege escalation, unauthorized control over charging infrastructure, and corruption of charging network data reported to the backend, all over the network with low complexity and no user interaction required.

CISA has issued ICS Advisory ICSA-26-057-08 detailing the vulnerability, available alongside related files from cisagov/CSAF and Mobility46. These resources provide further guidance on the issue in operational technology contexts.

Details

CWE(s): CWE-306

Affected Products

mobility46

mobility46.se

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Unauthenticated OCPP WebSocket endpoint enables remote exploitation of a public-facing application (T1190), facilitating station impersonation for privilege escalation (T1068) and unauthorized data manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-08.json
Third Party Advisory · ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08
Third Party Advisory, US Government Resource · ics-cert@hq.dhs.gov
https://www.mobility46.se/en/contact-us
Product · ics-cert@hq.dhs.gov