Executive Summary
In February 2026, multiple critical vulnerabilities were identified in EV Energy's ev.energy platform, a UK-based provider of electric vehicle charging software. These vulnerabilities include missing authentication for critical functions (CVE-2026-27772), improper restriction of excessive authentication attempts (CVE-2026-24445), insufficient session expiration (CVE-2026-26290), and insufficiently protected credentials (CVE-2026-25774). Exploitation of these flaws could allow attackers to gain unauthorized control over charging stations, disrupt services, and compromise data integrity. (beyondmachines.net)
The increasing integration of electric vehicle infrastructure with the power grid underscores the urgency of addressing these security gaps. As cyberattacks on EV charging stations rise, ensuring robust authentication and session management mechanisms is critical to prevent potential disruptions and maintain trust in the EV ecosystem. (yahoo.com)
Why This Matters Now
The rapid adoption of electric vehicles and their integration with the power grid make EV charging infrastructure a prime target for cyberattacks. Addressing these vulnerabilities is crucial to prevent potential disruptions and maintain trust in the EV ecosystem.
Attack Path Analysis
An attacker exploited publicly accessible charging station authentication identifiers to impersonate legitimate stations, gaining unauthorized access to the EV Energy ev.energy platform. Utilizing the lack of authentication mechanisms in WebSocket endpoints, the attacker issued commands as a legitimate charger, escalating privileges to control charging infrastructure. The attacker then moved laterally by hijacking active sessions through predictable session identifiers, displacing legitimate stations. Establishing command and control, the attacker manipulated charging station operations and data flows. Sensitive data was exfiltrated by intercepting communications between charging stations and the backend. Finally, the attacker disrupted charging services, causing denial-of-service conditions and corrupting network data.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited publicly accessible charging station authentication identifiers to impersonate legitimate stations and gain unauthorized access to the EV Energy ev.energy platform.
Related CVEs
CVE-2026-27772
CVSS 9.4WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend.
Affected Products:
EV Energy ev.energy – all
Exploit Status:
no public exploitCVE-2026-24445
CVSS 7.5The WebSocket API lacks restrictions on the number of authentication requests, allowing potential denial-of-service or brute-force attacks.
Affected Products:
EV Energy ev.energy – all
Exploit Status:
no public exploitCVE-2026-26290
CVSS 7.3The WebSocket backend allows multiple endpoints to connect using the same session identifier, leading to session hijacking or denial-of-service conditions.
Affected Products:
EV Energy ev.energy – all
Exploit Status:
no public exploitCVE-2026-25774
CVSS 6.5Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Affected Products:
EV Energy ev.energy – all
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Valid Accounts
Brute Force
Use Alternate Authentication Material
Application Layer Protocol
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit repeated access attempts
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Critical infrastructure vulnerabilities in EV charging systems threaten energy grid stability through unauthorized station control and backend manipulation attacks.
Transportation
Authentication bypass and session hijacking vulnerabilities enable denial-of-service attacks disrupting electric vehicle charging infrastructure and fleet operations.
Automotive
Electric vehicle charging network compromises affect fleet management systems and autonomous vehicle operations through charging station impersonation and data corruption.
Utilities
Industrial control system vulnerabilities in charging infrastructure create attack vectors for grid manipulation and unauthorized administrative control over critical systems.
Sources
- EV Energy ev.energyhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07Verified
- NVD Entry for CVE-2026-27772https://nvd.nist.gov/vuln/detail/CVE-2026-27772Verified
- NVD Entry for CVE-2026-24445https://nvd.nist.gov/vuln/detail/CVE-2026-24445Verified
- NVD Entry for CVE-2026-26290https://nvd.nist.gov/vuln/detail/CVE-2026-26290Verified
- NVD Entry for CVE-2026-25774https://nvd.nist.gov/vuln/detail/CVE-2026-25774Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit authentication identifiers, escalate privileges, and move laterally within the network, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Implementing Aviatrix Zero Trust CNSF would likely have limited the attacker's ability to exploit authentication identifiers by enforcing strict identity-based access controls.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely have constrained the attacker's ability to escalate privileges by enforcing least-privilege access policies.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely have restricted the attacker's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely have constrained the attacker's command and control capabilities by providing real-time monitoring and control over network activities.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely have limited data exfiltration by controlling and monitoring outbound traffic.
While Aviatrix Zero Trust CNSF could have constrained earlier attack stages, residual risks may persist, potentially leading to service disruptions and data integrity issues.
Impact at a Glance
Affected Business Functions
- Charging Station Operations
- Customer Billing
- Energy Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of charging station identifiers and associated data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
- • Deploy East-West Traffic Security controls to monitor and restrict internal communications, mitigating session hijacking risks.
- • Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Apply Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads in real-time.
