PatchSiren cyber security CVE debrief
CVE-2026-27028 Mobility46 CVE debrief
CVE-2026-27028 is a critical authentication flaw in Mobility46/mobility46.se OCPP WebSocket endpoints. According to the CISA CSAF advisory, an attacker who knows or discovers a charging-station identifier can connect without authentication, impersonate a legitimate charger, and issue or receive OCPP commands. The result can be unauthorized control of charging infrastructure, privilege escalation, and corruption of data reported to the backend.
- Vendor
- Mobility46
- Product
- Unknown
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Operators of Mobility46-based EV charging infrastructure, backend administrators, SOC and OT security teams, and any integrators exposing OCPP WebSocket endpoints to untrusted networks should treat this as urgent. Because the supplied record flags the vendor mapping as low-confidence and needing review, organizations should also confirm whether their deployed platform matches the advisory’s product naming.
Technical summary
The advisory states that WebSocket endpoints lack proper authentication mechanisms. An unauthenticated remote attacker can connect to the OCPP WebSocket endpoint using a known or discovered station identifier, then act as a legitimate charging station to send or receive OCPP commands. The documented impact includes privilege escalation, unauthorized control of charging assets, and corruption of backend charging-network data. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L (9.4). The supplied enrichment data does not list the issue in CISA KEV.
Defensive priority
Immediate / critical. This is a network-reachable, unauthenticated access-control failure affecting control-plane communications. Prioritize exposure reduction, endpoint authentication review, and active monitoring for station impersonation or unexpected OCPP sessions.
Recommended defensive actions
- Identify any Mobility46 or mobility46.se deployments and confirm which OCPP endpoints are reachable from untrusted networks.
- Restrict network access to OCPP WebSocket endpoints to trusted management paths only until strong authentication is validated.
- Review whether station identity is authenticated at the transport or application layer; if not, plan compensating controls and vendor remediation.
- Monitor for anomalous station identifiers, unusual WebSocket connections, and backend records that indicate charger impersonation or unexpected command activity.
- If you operate affected infrastructure, contact the vendor using the contact page provided in the advisory and document mitigation status.
- Validate and preserve logs related to OCPP sessions and backend command handling for incident investigation and integrity checks.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-057-08 and its embedded CVE record for CVE-2026-27028, both published and modified on 2026-02-26T07:00:00Z in the supplied corpus. The source explicitly describes unauthenticated OCPP WebSocket access, station impersonation, and backend data corruption. The supplied vendor metadata marks the vendor attribution as low confidence and needing review, so product naming should be confirmed locally before remediation planning. No KEV listing is present in the supplied enrichment fields.
Official resources
-
CVE-2026-27028 CVE record
CVE.org
-
CVE-2026-27028 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-057-08 and the associated CVE record on 2026-02-26T07:00:00Z. The supplied advisory notes that Mobility46 did not respond to CISA’s request for coordination, and the remediation entry points to the vendor contact page