CVE-2026-27767

Critical

Published: 27 February 2026

Published

27 February 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0020 41.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…

or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Mitigating Controls (NIST 800-53 r5)AI

IA-3 Device Identification and Authentication good match

prevent

Requires unique identification and authentication of charging station devices before establishing WebSocket connections, directly preventing unauthorized station impersonation.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits permitted actions without identification or authentication to exclude critical OCPP WebSocket functions, mitigating unauthenticated access and data manipulation.

AC-3 Access Enforcement good match

prevent

Enforces approved access control policies at WebSocket endpoints to require authentication for all station commands and data exchanges.

Security SummaryAI

CVE-2026-27767 is a critical vulnerability in OCPP WebSocket endpoints used in charging infrastructure, where the endpoints lack proper authentication mechanisms. This flaw, published on 2026-02-27, enables attackers to perform unauthorized station impersonation and manipulate data sent to the backend. It is associated with CWE-306 (Missing Authentication for Critical Function) and carries a CVSS score of 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

An unauthenticated attacker can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issuing or receiving OCPP commands as a legitimate charger. Successful exploitation allows privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CISA's ICS Advisory ICSA-26-057-06 details mitigation recommendations, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06, with the corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-06.json. Vendor contact for further assistance is provided at https://swtchenergy.com/contact/.

Details

CWE(s): CWE-306

Affected Products

swtchenergy

swtchenergy.com

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability in public-facing OCPP WebSocket endpoints lacking authentication directly enables exploitation for initial access via public-facing application (T1190) and privilege escalation through unauthorized station impersonation and control (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-06.json
Third Party Advisory · ics-cert@hq.dhs.gov
https://swtchenergy.com/contact/
Product · ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06
Third Party Advisory, US Government Resource · ics-cert@hq.dhs.gov