PatchSiren cyber security CVE debrief
CVE-2026-25774 EV Energy CVE debrief
CVE-2026-25774 describes an information exposure issue in EV Energy / ev.energy where charging station authentication identifiers were publicly accessible through web-based mapping platforms. CISA published the advisory on 2026-02-26 and assigned a medium CVSS score of 6.5. The supplied source does not indicate exploitation, a KEV listing, or availability impact, but the exposure could still enable unauthorized discovery of sensitive identifiers tied to charging infrastructure.
- Vendor
- EV Energy
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Operators and administrators of EV charging infrastructure using EV Energy / ev.energy, security teams responsible for connected charging assets, and organizations that integrate third-party mapping or fleet-management platforms should review this advisory. Teams should also care if they ingest or publish station metadata through external web-based mapping services.
Technical summary
According to the CISA CSAF advisory, charging station authentication identifiers are publicly accessible via web-based mapping platforms. The advisory scope is EV Energy / ev.energy, listed as vers:all/* in the supplied source. The CVSS v3.1 vector provided by CISA is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network-reachable exposure with limited confidentiality and integrity impact and no availability impact. No exploit details, active campaign information, or KEV entry are provided in the supplied corpus.
Defensive priority
Medium. The issue is publicly exposed and externally reachable in nature, but the supplied source does not show active exploitation or a broader campaign. It should be addressed promptly because exposed authentication identifiers can undermine access control or enable follow-on abuse if combined with other weaknesses.
Recommended defensive actions
- Review EV Energy / ev.energy deployments and any connected mapping platforms for exposed station authentication identifiers.
- Remove or restrict public access to sensitive identifiers and confirm that only intended fields are published externally.
- Rotate or invalidate any identifiers that may have been exposed, following vendor and operational procedures.
- Validate data-sharing settings, APIs, and map integrations for least-privilege exposure.
- Monitor charging infrastructure and related accounts for unusual access or configuration changes.
- Contact EV Energy using the vendor contact page referenced in the advisory if remediation guidance is needed.
Evidence notes
This debrief is based only on the supplied CISA CSAF source item and the official links included in the prompt. The advisory text explicitly states: "Charging station authentication identifiers are publicly accessible via web-based mapping platforms." The source also lists the product scope as EV Energy / ev.energy / vers:all/*, the CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, and notes that EV Energy did not respond to CISA's coordination request. No additional exploitation or incident evidence was provided.
Official resources
-
CVE-2026-25774 CVE record
CVE.org
-
CVE-2026-25774 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 as an initial publication. The supplied source indicates EV Energy did not respond to CISA's coordination request. No KEV entry is listed in the provided corpus.