The vulnerabilities, which carry a **CVSS v3 score of 9.4**, affect all versions of **EVoke Systems CSMS**. These flaws stem from a combination of missing authentication, improper rate limiting, insufficient session expiration, and publicly exposed credentials. ### Unpacking the Vulnerabilities Four distinct **CVEs** have been identified, each presenting a significant risk to the security and operational integrity of EV charging infrastructure: #### **CVE-2026-40702**: Missing Authentication for Critical Function This vulnerability highlights a critical flaw where **WebSocket** endpoints lack proper authentication. Attackers can impersonate charging stations, gaining unauthorized access to sensitive data or performing unauthorized actions. The absence of authentication allows for privilege escalation, potentially compromising the entire system. #### **CVE-2026-50176**: Improper Restriction of Excessive Authentication Attempts The **WebSocket Application Programming Interface** is susceptible to brute-force and denial-of-service attacks due to a lack of restrictions on the number of authentication requests. This oversight allows malicious actors to overwhelm the system or gain unauthorized access through repeated attempts. #### **CVE-2026-54479**: Insufficient Session Expiration **EVoke Systems CSMS** uses predictable session identifiers by associating multiple endpoints with the same charging station identifier. This weakness allows unauthorized users to authenticate as legitimate users or enables attackers to trigger a denial-of-service condition by flooding the backend with valid session requests. #### **CVE-2026-44622**: Insufficiently Protected Credentials Alarmingly, charging station authentication identifiers are publicly accessible via web-based mapping platforms. This exposure of sensitive credentials significantly lowers the bar for attackers to gain initial access. ### Critical Infrastructure at Risk These vulnerabilities pose a direct threat to the Energy and Transportation Systems sectors, with **EVoke Systems CSMS** deployments found worldwide. The potential for administrative takeover or service disruption could have far-reaching consequences for the burgeoning electric vehicle ecosystem. ### Recommended Mitigations **CISA** urges organizations to implement robust defensive measures to minimize the risk of exploitation. Key recommendations include: * **Minimizing Network Exposure:** Ensure all control system devices and systems are not directly accessible from the internet. * **Network Segmentation:** Isolate control system networks and remote devices behind firewalls, separate from business networks. * **Secure Remote Access:** When remote access is necessary, employ secure methods such as Virtual Private Networks (VPNs), ensuring VPNs are kept up-to-date and are as secure as the connected devices. * **Impact Analysis and Risk Assessment:** Conduct thorough analyses before deploying any defensive measures. * **Defense-in-Depth Strategies:** Implement comprehensive cybersecurity strategies for the proactive defense of **ICS** assets. Organizations observing any suspected malicious activity are encouraged to follow established internal procedures and report findings to **CISA** for tracking and correlation. At this time, no public exploitation specifically targeting these vulnerabilities has been reported to **CISA**. These vulnerabilities were reported to **CISA** by **Khaled Sarieddine** and **Mohammad Ali Sayed**.