Executive Summary
In March 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory highlighting multiple critical vulnerabilities in ePower's charging platform, epower.ie. These vulnerabilities include missing authentication for critical functions, improper restriction of excessive authentication attempts, insufficient session expiration, and insufficiently protected credentials. Exploitation of these flaws could allow attackers to gain unauthorized administrative control over charging stations or disrupt services through denial-of-service attacks. (windowsforum.com)
The disclosure underscores the growing cybersecurity risks in the energy and transportation sectors, particularly concerning electric vehicle (EV) infrastructure. As EV adoption accelerates, ensuring the security of charging networks becomes paramount to prevent potential disruptions and maintain public trust in these emerging technologies.
Why This Matters Now
The rapid expansion of electric vehicle infrastructure introduces new attack surfaces, making it imperative to address vulnerabilities promptly to safeguard critical energy and transportation systems.
Attack Path Analysis
An attacker exploited the lack of authentication in ePower's WebSocket endpoints to impersonate charging stations, gaining unauthorized access. They escalated privileges by leveraging predictable session identifiers to hijack active sessions. The attacker moved laterally by connecting to multiple charging stations using publicly accessible identifiers. They established command and control by issuing unauthorized commands to the charging infrastructure. The attacker exfiltrated sensitive data by manipulating telemetry sent to the backend. Finally, they caused operational disruption by remotely stopping charging sessions, leading to denial-of-service conditions.
Kill Chain Progression
Initial Compromise
Description
Exploited unauthenticated WebSocket endpoints to impersonate charging stations.
Related CVEs
CVE-2026-22552
CVSS 9.4WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend.
Affected Products:
ePower ePower epower.ie – all
Exploit Status:
no public exploitCVE-2026-27778
CVSS 7.5The WebSocket API lacks restrictions on the number of authentication requests, allowing potential denial-of-service or brute-force attacks.
Affected Products:
ePower ePower epower.ie – all
Exploit Status:
no public exploitCVE-2026-24912
CVSS 7.3The WebSocket backend allows multiple endpoints to connect using the same session identifier, leading to session hijacking or denial-of-service conditions.
Affected Products:
ePower ePower epower.ie – all
Exploit Status:
no public exploitCVE-2026-27770
CVSS 6.5Charging station authentication identifiers are publicly accessible via web-based mapping platforms, potentially exposing sensitive information.
Affected Products:
ePower ePower epower.ie – all
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Brute Force
Use Alternate Authentication Material
Application Layer Protocol
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit repeated access attempts by locking out the user ID after not more than 10 attempts.
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms
Control ID: Identity and Access Management
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Critical infrastructure vulnerabilities in EV charging systems expose energy grid operations to unauthorized control, session hijacking, and denial-of-service attacks affecting power distribution networks.
Transportation
Authentication bypass and session manipulation vulnerabilities in charging infrastructure could disrupt electric vehicle operations, fleet management, and transportation logistics through unauthorized station control.
Utilities
Missing authentication controls and excessive authentication attempt vulnerabilities threaten utility-operated charging networks, potentially compromising grid stability and customer service delivery systems.
Automotive
WebSocket endpoint vulnerabilities in charging station infrastructure could impact automotive manufacturers' EV ecosystem, charging partnerships, and vehicle-to-infrastructure communication protocols and data integrity.
Sources
- ePower epower.iehttps://www.cisa.gov/news-events/ics-advisories/icsa-26-062-07Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit unauthenticated WebSocket endpoints, escalate privileges, move laterally, establish command and control, exfiltrate data, and disrupt operations. By implementing identity-aware segmentation and enforcing least-privilege access, the attacker's reach and impact would likely have been significantly reduced.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit unauthenticated WebSocket endpoints to impersonate charging stations would likely have been constrained.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to hijack active sessions and escalate privileges would likely have been constrained.
Control: East-West Traffic Security
Mitigation: The attacker's ability to connect to multiple charging stations to expand control would likely have been constrained.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to issue unauthorized commands to the charging infrastructure would likely have been constrained.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to manipulate telemetry data to exfiltrate sensitive information would likely have been constrained.
The attacker's ability to remotely stop charging sessions, causing denial-of-service conditions, would likely have been constrained.
Impact at a Glance
Affected Business Functions
- Charging Station Operations
- Customer Billing
- Network Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of customer billing information and operational data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict authentication mechanisms for all WebSocket endpoints to prevent unauthorized access.
- • Enforce session management controls, including unique session identifiers and proper expiration policies, to mitigate session hijacking risks.
- • Apply Zero Trust Segmentation to restrict lateral movement between charging stations and limit unauthorized access.
- • Deploy Web Application Firewalls (WAFs) to monitor and filter malicious WebSocket traffic, enhancing command and control detection.
- • Establish comprehensive logging and monitoring to detect and respond to unauthorized activities promptly.
