Executive Summary
In March 2026, multiple critical vulnerabilities were identified in Everon's OCPP Backends, affecting all versions of the platform. These vulnerabilities include missing authentication for critical functions, improper restriction of excessive authentication attempts, insufficient session expiration, and insufficiently protected credentials. Exploitation of these flaws could allow attackers to gain unauthorized administrative control over charging stations or disrupt services through denial-of-service attacks. (incibe.es)
The discovery of these vulnerabilities underscores the growing cybersecurity risks within the electric vehicle (EV) charging infrastructure. As the adoption of EVs accelerates, ensuring the security of charging networks becomes paramount to prevent potential operational disruptions and safeguard user data.
Why This Matters Now
The identification of these vulnerabilities highlights the urgent need for enhanced security measures in EV charging infrastructures to prevent unauthorized access and service disruptions.
Attack Path Analysis
An attacker exploits the lack of authentication in Everon's OCPP WebSocket endpoints to impersonate charging stations, gaining unauthorized access. This access allows the attacker to escalate privileges, issuing commands as a legitimate charger. The attacker then moves laterally within the network, potentially compromising other connected systems. Establishing command and control, the attacker maintains persistent access to the infrastructure. Sensitive data is exfiltrated from the compromised systems. Finally, the attacker disrupts charging services, causing operational downtime.
Kill Chain Progression
Initial Compromise
Description
The attacker exploits the absence of authentication mechanisms in Everon's OCPP WebSocket endpoints to impersonate charging stations and gain unauthorized access.
Related CVEs
CVE-2026-27028
CVSS 9.8WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend.
Affected Products:
Everon Everon OCPP Backends – all
Exploit Status:
no public exploitCVE-2026-20895
CVSS 7.5The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier, enabling session hijacking or shadowing.
Affected Products:
Everon Everon OCPP Backends – all
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Brute Force
Web Protocols
Use Alternate Authentication Material: Pass the Hash
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Access to CDE
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Electric vehicle charging infrastructure vulnerabilities enable unauthorized control of critical energy systems, disrupting power grid operations and compromising energy distribution networks.
Transportation
OCPP backend authentication flaws allow attackers to manipulate EV charging stations, potentially stranding vehicles and disrupting transportation services through denial-of-service attacks.
Utilities
Missing authentication in charging infrastructure creates attack vectors for grid destabilization, unauthorized energy consumption monitoring, and manipulation of utility billing systems.
Automotive
Compromised charging station backends expose vehicle telemetry data and enable session hijacking, affecting automotive ecosystem security and customer charging service reliability.
Sources
- Everon OCPP Backendshttps://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08Verified
- NVD Entry for CVE-2026-27028https://nvd.nist.gov/vuln/detail/CVE-2026-27028Verified
- NVD Entry for CVE-2026-20895https://nvd.nist.gov/vuln/detail/CVE-2026-20895Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit unauthenticated WebSocket endpoints, thereby reducing the potential for lateral movement and data exfiltration within the network.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Implementing identity-aware policies would likely have constrained unauthorized access by ensuring only authenticated entities could communicate with the WebSocket endpoints.
Control: Zero Trust Segmentation
Mitigation: Enforcing least-privilege access controls would likely have restricted the attacker's ability to escalate privileges by limiting command execution to authorized entities.
Control: East-West Traffic Security
Mitigation: Implementing east-west traffic controls would likely have limited the attacker's ability to move laterally by restricting unauthorized inter-system communications.
Control: Multicloud Visibility & Control
Mitigation: Enhanced visibility and control would likely have identified and constrained unauthorized command and control channels, limiting the attacker's persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: Enforcing egress policies would likely have restricted unauthorized data exfiltration by controlling outbound data flows.
While prior controls would likely have constrained the attacker's activities, any residual impact would be limited to isolated systems, reducing overall operational disruption.
Impact at a Glance
Affected Business Functions
- Charging Station Operations
- Customer Billing
- Energy Management
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of charging station operational data and customer usage patterns.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust authentication mechanisms for all WebSocket endpoints to prevent unauthorized access.
- • Enforce Zero Trust Segmentation to limit lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Establish Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
