CVE-2026-40702
Deferred Deferred - Pending Action

WebSocket Authentication Bypass in EV Charging Stations

Vulnerability report for CVE-2026-40702, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: ICS-CERT

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
evoke charging_station_management_system *
evoke electric_vehicle_supply_equipment *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves WebSocket endpoints that lack proper authentication mechanisms. Because no authentication is required, attackers can impersonate charging stations.

This allows attackers to gain unauthorized access to sensitive data or perform unauthorized actions within the system.

Detection Guidance

This vulnerability can be detected by monitoring WebSocket endpoints for the absence of authentication mechanisms and unusual activity such as multiple simultaneous connections from the same charger ID or rapid authentication attempts indicating brute-force attacks.

Network administrators should look for WebSocket connections that do not require authentication and check for lack of rate limiting on authentication requests.

Suggested commands include using network monitoring tools to inspect WebSocket traffic, for example:

  • Using tcpdump or Wireshark to capture and analyze WebSocket traffic on relevant ports.
  • Using curl or websocat to attempt connections to the WebSocket endpoints to verify if authentication is enforced.
  • Checking server logs for multiple authentication attempts or simultaneous connections from the same charger ID.
Impact Analysis

The vulnerability can lead to privilege escalation and potentially compromise the security of the entire system.

Attackers exploiting this weakness can access sensitive data or carry out unauthorized actions, which may disrupt operations or cause data breaches.

Compliance Impact

This vulnerability allows attackers to impersonate charging stations due to lack of proper authentication on WebSocket endpoints, leading to unauthorized access to sensitive data and unauthorized actions.

Such unauthorized access and potential compromise of sensitive data can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive information and proper access controls.

Failure to implement authentication mechanisms and prevent privilege escalation may result in violations of these regulations, exposing organizations to legal and financial penalties.

Mitigation Strategies

Immediate mitigation steps include minimizing network exposure of the vulnerable charging station management system and isolating control systems from general network access.

Implement secure remote access methods such as VPNs to restrict access to the WebSocket endpoints.

Apply server-side protections like allow-listing authorized devices, enforcing single active connections per charger ID, and adding rate-limiting controls to prevent brute-force or denial-of-service attacks.

Plan to migrate legacy chargers to stronger security profiles (OCPP Security Profiles 2 or 3) to ensure proper authentication mechanisms are in place.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40702. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart