PatchSiren cyber security CVE debrief
CVE-2026-25778 SWITCH EV CVE debrief
CVE-2026-25778 describes a weakness in the SWTCH EV WebSocket backend where charging station identifiers are used to associate sessions, but multiple endpoints can connect with the same session identifier. That can let a later connection displace the legitimate charger session, causing session hijacking or shadowing and potentially denying service to the displaced station. CISA published the advisory on 2026-02-26 and updated it on 2026-05-14 with vendor-name corrections and mitigations supplied by SWTCH.
- Vendor
- SWITCH EV
- Product
- SWTCH EV swtchenergy.com vers:all/*
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-05-14
Who should care
Operators and administrators of SWTCH EV charging deployments, teams managing charger connectivity or backend WebSocket services, SOC and incident response teams, and OT/ICS defenders responsible for network access controls and device onboarding.
Technical summary
The advisory states that the WebSocket backend uses charging-station identifiers to uniquely associate sessions, but does not prevent multiple endpoints from using the same session identifier. Because those identifiers are predictable, an attacker could establish a competing session that displaces the legitimate charger. The source describes impacts consistent with session hijacking or shadowing, unauthorized command delivery to the wrong endpoint, and denial of service through valid-session contention. CISA’s update notes that SWTCH applied configuration changes to add security checks for initial connections from untrusted chargers, with compensating controls such as monitoring and IP-based restrictions, while some field devices may still depend on legacy firmware or TLS compatibility constraints.
Defensive priority
High — network-reachable session-control flaws in charging infrastructure can directly disrupt availability and session integrity; prioritize if you operate affected SWTCH EV environments or depend on the charger WebSocket path.
Recommended defensive actions
- Review the CISA advisory and SWTCH mitigation guidance for CVE-2026-25778 before making connectivity changes.
- Apply SWTCH’s updated connection-control and authentication checks for initial connections from untrusted chargers where supported.
- Use compensating controls such as monitoring, IP-based access restrictions, and ingress protections to limit who can reach the backend.
- Inventory affected chargers and identify any devices that may require firmware updates or retirement because of legacy TLS or compatibility limitations.
- Validate that charger-to-backend sessions are uniquely bound and that duplicate or competing session identifiers are rejected.
- Alert operations and incident-response teams to watch for sudden charger disconnects, session churn, or unexpected backend command routing.
Evidence notes
All findings here are drawn from the CISA CSAF advisory ICSA-26-057-06 for CVE-2026-25778 and its revision history. The source description explicitly says the backend allows multiple endpoints to connect with the same identifier and that the most recent connection can displace the legitimate station. The advisory’s remediations describe configuration changes, compensating controls, and remaining constraints for some existing chargers. No exploit code or public weaponization is included in the supplied corpus.
Official resources
-
CVE-2026-25778 CVE record
CVE.org
-
CVE-2026-25778 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-02-26; updated on 2026-05-14 (Update A) with a vendor-name correction and added mitigations. The supplied corpus does not indicate KEV inclusion.