PatchSiren cyber security CVE debrief
CVE-2026-27767 SWITCH EV CVE debrief
CVE-2026-27767 affects SWTCH EV / swtchenergy.com and was published by CISA on 2026-02-26, with Update A on 2026-05-14 adding mitigations. The advisory says WebSocket endpoints lack proper authentication, allowing an unauthenticated attacker to connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier and act as a legitimate charger. CISA characterizes the impact as unauthorized station impersonation, privilege escalation, unauthorized control of charging infrastructure, and corruption of backend-reported charging network data.
- Vendor
- SWITCH EV
- Product
- SWTCH EV swtchenergy.com vers:all/*
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-05-14
Who should care
Operators and administrators of SWTCH EV charging deployments, EV charging network operators, site owners, and defenders responsible for OCPP backend integrations, charger onboarding, and network access controls.
Technical summary
The issue is an authentication weakness on WebSocket-based OCPP endpoints. Per the advisory, the attacker does not need valid credentials to establish a connection if they know or can discover a charging station identifier. That makes it possible to send or receive OCPP commands as if they were a legitimate charger, which can affect integrity of station identity, backend telemetry, and charging network control. The advisory’s remediation notes indicate SWTCH has applied configuration changes for initial connections from untrusted chargers, with additional enforcement for new connections and compensating controls such as monitoring and IP-based restrictions; some existing chargers may remain constrained by legacy firmware or SSL/TLS compatibility issues.
Defensive priority
Critical. Treat as high-priority exposure for any environment using affected SWTCH EV deployments, especially where chargers can reach the OCPP WebSocket endpoint over untrusted networks or where device identity is not strongly enforced.
Recommended defensive actions
- Review affected SWTCH EV deployments and confirm whether chargers are covered by the updated security policy described in the CISA advisory.
- Enforce authentication and connection-control checks on initial and subsequent OCPP WebSocket connections wherever technically supported.
- Apply IP-based access controls or other network-level restrictions to limit who can reach the charging backend and OCPP endpoints.
- Prioritize upgrades, reconfiguration, or retirement of chargers that cannot fully comply because of legacy firmware or SSL/TLS compatibility limits.
- Monitor connection attempts and charger traffic for anomalous station identifiers, unexpected sessions, or backend data inconsistencies.
- Consult the SWTCH Security portal and contact SWTCH support for device-specific remediation guidance.
Evidence notes
This debrief is based only on the CISA CSAF advisory ICSA-26-057-06 for CVE-2026-27767, published 2026-02-26 and updated 2026-05-14, plus the linked official CVE and CISA reference pages. The advisory explicitly states the authentication weakness, attack path, and mitigation notes. No exploit code or unsupported claims are included.
Official resources
-
CVE-2026-27767 CVE record
CVE.org
-
CVE-2026-27767 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 and revised it on 2026-05-14 to add mitigation detail. This debrief uses the CVE publication date for timing context and does not infer exploit activity beyond the advisory text.