PatchSiren cyber security CVE debrief
CVE-2026-27772 EV Energy CVE debrief
CISA published CVE-2026-27772 on 2026-02-26 as a critical issue affecting EV Energy ev.energy. According to the advisory, WebSocket endpoints used for OCPP communication do not enforce proper authentication. That weakness can let an unauthenticated attacker connect with a known or discovered charging-station identifier, impersonate a legitimate charger, and send or receive OCPP traffic as if they were an authorized device. The result can be unauthorized control of charging infrastructure, privilege escalation, and corruption of charging-network data reported to the backend.
- Vendor
- EV Energy
- Product
- Unknown
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
EV charging operators, fleet charging program owners, backend platform administrators, OT/ICS defenders, and teams that manage OCPP WebSocket infrastructure should treat this as urgent. It is especially relevant anywhere charger identity is trusted based only on a station identifier rather than strong authentication.
Technical summary
The CISA source describes a lack of authentication on OCPP WebSocket endpoints. An attacker does not need credentials to establish a connection if they know or can discover a station identifier. Once connected, the attacker may impersonate a charger and interact with backend OCPP workflows, which can undermine integrity of telemetry and control messages. The advisory assigns CVSS 3.1 9.4 Critical with network attack vector, no privileges required, no user interaction, and high confidentiality and integrity impact with low availability impact.
Defensive priority
Critical priority. This is a network-reachable authentication failure on a control path that directly affects EV charging operations and backend trust. Because the issue enables unauthorized impersonation and data manipulation without credentials, exposure should be reduced immediately and compensating controls should be checked at once.
Recommended defensive actions
- Restrict access to OCPP WebSocket endpoints to trusted networks and management paths only.
- Require strong authentication for every charger connection and session, not just a station identifier.
- Validate station identity and authorize each connection and command exchange on the backend.
- Review logs for unexpected charger connections, reused identifiers, or anomalous OCPP activity.
- Revoke or rotate any credentials, identifiers, or secrets that may have been exposed or guessed.
- Verify that backend records and charger state data have not been altered or corrupted.
- Apply CISA-recommended ICS defensive practices for segmentation, monitoring, and defense in depth.
- Contact EV Energy through the vendor contact page referenced by CISA for remediation guidance.
Evidence notes
All substantive claims in this debrief are drawn from the supplied CISA CSAF source item for ICSA-26-057-07 and its metadata. The source states that EV Energy did not respond to CISA's coordination request, and no vendor fix details are provided in the corpus. Timing is based on the CVE publishedAt/modifiedAt and source publishedAt/modifiedAt values of 2026-02-26T07:00:00.000Z.
Official resources
-
CVE-2026-27772 CVE record
CVE.org
-
CVE-2026-27772 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and CVE record on 2026-02-26. The source corpus does not include exploit code or proof-of-concept material, and it notes that EV Energy did not respond to CISA's coordination request.