PatchSiren cyber security CVE debrief
CVE-2026-20733 Unknown Vendor CVE debrief
CVE-2026-20733 describes an information exposure affecting CloudCharge cloudcharge.se deployments, where charging station authentication identifiers are publicly accessible through web-based mapping platforms. CISA published the advisory on 2026-02-26 and did not list this CVE in KEV. The source does not describe active exploitation, but publicly exposed identifiers can increase discovery, targeting, and misuse risk for charging infrastructure.
- Vendor
- Unknown Vendor
- Product
- CloudCharge cloudcharge.se vers:all/*
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Owners and operators of CloudCharge-based charging stations, EV infrastructure administrators, OT/ICS security teams, integrators, and organizations that publish or manage station data through mapping platforms should review this issue.
Technical summary
The advisory states that charging station authentication identifiers are exposed on web-based mapping platforms. That is an information disclosure condition rather than a code execution flaw. The source material does not provide exploit details, affected software internals, or a confirmed attack chain, but exposure of authentication identifiers can help an attacker identify assets or support unauthorized access attempts if those identifiers are used in trust decisions, pairing, or management workflows.
Defensive priority
Moderate. The issue is publicly reachable and concerns authentication-related identifiers, but the advisory provides limited technical detail and no known exploitation data. Prioritize review if CloudCharge devices or station metadata are published externally or consumed by third-party mapping services.
Recommended defensive actions
- Inventory CloudCharge cloudcharge.se deployments and determine whether authentication identifiers or related metadata are exposed in public mapping services.
- Review what identifiers are published externally and remove or minimize any sensitive authentication-related data shared with mapping platforms.
- If exposed identifiers are used in any trust, pairing, or management process, rotate or reissue the associated credentials or identifiers according to vendor guidance.
- Monitor for unusual access, station enrollment, or management activity tied to exposed identifiers.
- Follow CISA ICS recommended practices and broader defense-in-depth guidance for industrial control and connected infrastructure.
- Contact CloudCharge through the vendor support page referenced in the advisory for product-specific mitigation guidance.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-057-03, which states: "Charging station authentication identifiers are publicly accessible via web-based mapping platforms." The advisory metadata also notes SSVCv2/E:N/A:Y/2026-02-25T07:00:00.000000Z and indicates CloudCharge did not respond to CISA's coordination request. No KEV listing or active exploitation claim is present in the supplied corpus.
Official resources
-
CVE-2026-20733 CVE record
CVE.org
-
CVE-2026-20733 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-02-26. The supplied source does not indicate KEV inclusion or known active exploitation, and it notes that CloudCharge did not respond to CISA's coordination request.