Executive Summary
In June 2026, multiple critical vulnerabilities were identified in EVoke Systems' Charging Station Management System (CSMS), potentially allowing attackers to gain unauthorized administrative control over charging stations or disrupt services via denial-of-service attacks. The vulnerabilities include missing authentication for critical functions, improper restriction of excessive authentication attempts, insufficient session expiration, and insufficiently protected credentials. These flaws affect all versions of EVoke CSMS and pose significant risks to the energy and transportation sectors worldwide.
The discovery of these vulnerabilities underscores the growing cybersecurity challenges in the electric vehicle infrastructure. As the adoption of EVs accelerates, ensuring the security of charging networks becomes paramount to prevent potential disruptions and safeguard user data.
Why This Matters Now
The rapid expansion of electric vehicle infrastructure increases the attack surface for cyber threats. Addressing these vulnerabilities promptly is crucial to maintain the reliability and security of charging networks, especially as they become integral to global transportation systems.
Attack Path Analysis
An attacker exploited the lack of authentication in WebSocket endpoints to impersonate charging stations, gaining unauthorized access. They then escalated privileges by exploiting predictable session identifiers, allowing multiple simultaneous connections with the same ID. Utilizing these vulnerabilities, the attacker moved laterally within the network, accessing other charging stations and backend systems. They established command and control by maintaining persistent unauthorized sessions. The attacker exfiltrated sensitive data from the compromised systems. Finally, they disrupted charging services, causing denial-of-service conditions.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the lack of authentication in WebSocket endpoints to impersonate charging stations, gaining unauthorized access.
Related CVEs
CVE-2026-22552
CVSS 9.8WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations and manipulate data sent to the backend.
Affected Products:
EVoke Systems Charging Station Management System – all
Exploit Status:
no public exploitCVE-2026-20895
CVSS 7.5The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier, leading to session hijacking or denial-of-service conditions.
Affected Products:
EVoke Systems Charging Station Management System – all
Exploit Status:
no public exploitCVE-2026-22890
CVSS 5.3Charging station authentication identifiers are publicly accessible via web-based mapping platforms, potentially exposing sensitive information.
Affected Products:
EVoke Systems Charging Station Management System – all
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Brute Force
Web Protocols
Network Denial of Service
Credential Stuffing
Local Accounts
Cloud Accounts
Default Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit repeated access attempts
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
Electric vehicle charging infrastructure vulnerabilities expose automotive sector to denial-of-service attacks, unauthorized charging station control, and disrupted EV operations.
Oil/Energy/Solar/Greentech
Critical energy infrastructure faces authentication bypass risks in charging management systems, enabling unauthorized control and potential grid stability disruptions.
Transportation
Transportation networks dependent on EV charging infrastructure vulnerable to session hijacking and service disruption attacks affecting fleet operations and logistics.
Utilities
Utility providers managing charging station networks face critical authentication vulnerabilities enabling attackers to impersonate devices and disrupt electrical grid integration.
Sources
- EVoke Systems Charging Station Management Systemhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02Verified
- CVE-2026-22552 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-22552Verified
- CVE-2026-20895 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-20895Verified
- CVE-2026-22890 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-22890Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to exploit authentication weaknesses and move laterally within the network, thereby reducing the potential blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit unauthenticated WebSocket endpoints would likely be constrained, reducing unauthorized access opportunities.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges through predictable session identifiers would likely be constrained, reducing unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing unauthorized access to other systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent unauthorized sessions would likely be constrained, reducing command and control capabilities.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing data loss.
The attacker's ability to disrupt charging services would likely be constrained, reducing service downtime.
Impact at a Glance
Affected Business Functions
- Charging Station Operations
- Customer Billing
- Energy Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of charging station authentication identifiers and session data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strong authentication mechanisms for all WebSocket endpoints to prevent unauthorized access.
- • Enforce strict session management policies to prevent multiple simultaneous connections with the same ID.
- • Apply zero trust segmentation to limit lateral movement within the network.
- • Deploy continuous monitoring and anomaly detection systems to identify and respond to unauthorized activities.
- • Regularly update and patch systems to address known vulnerabilities and enhance security posture.



