CVE-2026-25113 SWITCH EV CVE debrief

Who should care

Operators of SWTCH EV charging deployments, EV charging fleet administrators, OT/ICS security teams, network defenders responsible for charger connectivity, and incident response teams should prioritize this issue—especially where the WebSocket API is exposed to untrusted devices or networks.

Technical summary

The advisory describes a lack of restrictions on the number of authentication requests against the WebSocket Application Programming Interface. CISA maps the issue to CWE-307 (Improper Restriction of Excessive Authentication Attempts) and rates it CVSS 3.1 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The stated impacts are denial of service through telemetry suppression or mis-routing, and brute-force attempts that may lead to unauthorized access. The source revision history notes that Update A added mitigations from SWTCH, including added security checks for initial connections from untrusted chargers, broader connection-control and ingress-protection scrutiny, compensating controls such as monitoring and IP-based access controls, and device-specific upgrade paths where firmware and TLS compatibility allow.

Defensive priority

High. This is a remotely reachable authentication abuse issue with no privileges required and high availability impact. The advisory also indicates that some existing chargers may need compensating controls or upgrades due to legacy firmware and SSL/TLS compatibility constraints, so defenders should verify exposure and apply vendor guidance promptly.

Recommended defensive actions

• Confirm whether any SWTCH EV WebSocket endpoints are reachable from untrusted networks or devices.
• Apply SWTCH’s updated security policy and configuration changes for initial connections where supported.
• Use monitoring and targeted network-level restrictions, including IP-based access controls, to reduce exposure.
• Identify chargers with legacy firmware or SSL/TLS compatibility limitations and plan upgrades or retirement where full enforcement is not possible.
• Review telemetry integrity and authentication logs for signs of repeated authentication attempts, suppression, or mis-routing.
• Follow the SWTCH Security portal and contact SWTCH support for product-specific remediation guidance.

Evidence notes

All substantive findings come from the supplied CISA CSAF advisory (ICSA-26-057-06) and its revision history. The advisory states that the WebSocket API lacks restrictions on authentication requests and that this may enable denial-of-service or brute-force attacks. It also supplies the remediation notes added in Update A on 2026-05-14, including additional connection scrutiny, compensating controls, and upgrade guidance. The provided reference list includes CWE-307 and the official CVE record; no KEV entry was supplied.

Official resources