EV2GO 2026 Authentication Vulnerabilities: A Wake-Up Call for Critical Infrastructure Security
Executive Summary
In February 2026, multiple critical vulnerabilities were identified in EV2GO's ev2go.io charging management platform, affecting all versions. These flaws include missing authentication for critical functions (CVE-2026-24731), improper restriction of excessive authentication attempts (CVE-2026-25945), insufficient session expiration (CVE-2026-20895), and insufficiently protected credentials (CVE-2026-22890). Exploitation could allow attackers to impersonate charging stations, hijack sessions, misroute traffic causing large-scale denial of service, and manipulate backend data. (therealistjuggernaut.com)
The absence of vendor response and lack of available patches heighten the urgency for organizations to implement immediate defensive measures. This incident underscores the critical need for robust authentication mechanisms and proactive vulnerability management in infrastructure systems to prevent potential exploitation and operational disruptions.
Why This Matters Now
The EV2GO vulnerabilities highlight the pressing need for enhanced security in critical infrastructure, as the lack of immediate patches and vendor response leaves systems exposed to potential attacks, emphasizing the urgency for organizations to implement robust defensive measures promptly.
Attack Path Analysis
An attacker exploited publicly accessible charging station identifiers to impersonate legitimate devices, gaining unauthorized access to the EV2GO platform. By leveraging the lack of authentication and session management flaws, the attacker escalated privileges to control charging infrastructure. The attacker then moved laterally within the network, exploiting session hijacking vulnerabilities to intercept backend commands. Establishing command and control, the attacker manipulated data sent to the backend, causing misrouting of legitimate traffic. Subsequently, the attacker exfiltrated sensitive operational data, including user credentials and session information. Finally, the attacker disrupted services by suppressing legitimate charger telemetry, leading to large-scale denial of service.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited publicly accessible charging station identifiers to impersonate legitimate devices and gain unauthorized access to the EV2GO platform.
Related CVEs
CVE-2026-24731
CVSS 9.4WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend.
Affected Products:
EV2GO ev2go.io – all
Exploit Status:
no public exploitCVE-2026-25945
CVSS 7.5The WebSocket API lacks restrictions on the number of authentication requests, allowing attackers to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access.
Affected Products:
EV2GO ev2go.io – all
Exploit Status:
no public exploitCVE-2026-20895
CVSS 7.3The WebSocket backend allows multiple endpoints to connect using the same session identifier, enabling session hijacking or shadowing.
Affected Products:
EV2GO ev2go.io – all
Exploit Status:
no public exploitCVE-2026-22890
CVSS 6.5Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Affected Products:
EV2GO ev2go.io – all
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Valid Accounts
Brute Force
Modify Authentication Process
Exploitation for Credential Access
Adversary-in-the-Middle
Modify Authentication Process: Multi-Factor Authentication
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication
Control ID: 8.3
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity Verification and Authentication
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical infrastructure vulnerability in EV charging systems enables station impersonation, session hijacking, and denial-of-service attacks disrupting energy distribution networks.
Transportation
WebSocket authentication flaws allow unauthorized control of charging infrastructure, potentially stranding electric vehicles and compromising transportation system reliability nationwide.
Automotive
Missing authentication mechanisms in EV2GO charging platforms expose electric vehicle manufacturers to supply chain attacks affecting customer charging experiences.
Oil/Energy/Solar/Greentech
Infrastructure vulnerabilities threaten green energy transition by enabling attackers to manipulate charging data and disrupt renewable energy integration systems.
Sources
- EV2GO ev2go.iohttps://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04Verified
- CVE-2026-24731 Detail | NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-24731Verified
- TRJ Cybersecurity — EV2GO Charging Platform Exposedhttps://therealistjuggernaut.com/2026/02/26/trj-cybersecurity-ev2go-charging-platform-exposed-authentication-failures-create-high-risk-entry-points-across-global-ev-infrastructure/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit network vulnerabilities, thereby reducing the potential blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to impersonate devices and gain unauthorized access would likely be constrained, limiting initial entry points.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and control infrastructure would likely be constrained, reducing unauthorized control.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network would likely be constrained, reducing the spread of the attack.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control would likely be constrained, limiting manipulation of backend data.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing data loss.
The attacker's ability to disrupt services would likely be constrained, reducing the scale of denial of service.
Impact at a Glance
Affected Business Functions
- Charging Station Operations
- Billing Systems
- Customer Data Management
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of customer PII and operational data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust authentication mechanisms for all WebSocket endpoints to prevent unauthorized access.
- • Enforce strict session management policies to mitigate session hijacking risks.
- • Deploy Zero Trust Segmentation to limit lateral movement within the network.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Establish Egress Security & Policy Enforcement to control and monitor outbound traffic, preventing data exfiltration.
