PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-20748 Unknown Vendor CVE debrief

CVE-2026-20748 describes a WebSocket session-management flaw in Everon OCPP backends where charging-station identifiers are used as session identifiers and multiple endpoints can connect with the same value. According to the CISA advisory, this can let a later connection displace the legitimate station, receive commands intended for that station, and potentially contribute to denial of service through repeated valid session requests. The advisory’s remediation note states that Everon shut down its platform on 2025-12-01, so the most relevant response may be decommissioning, access review, and verification that no dependent service remains exposed.

Vendor
Unknown Vendor
Product
Everon api.everon.io vers:all/*
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-03
Original CVE updated
2026-03-03
Advisory published
2026-03-03
Advisory updated
2026-03-03

Who should care

Operators of Everon api.everon.io OCPP integrations, charging-station fleet administrators, and defenders responsible for backend session handling, authentication, and availability monitoring in industrial or EV charging environments.

Technical summary

The advisory states that the WebSocket backend uniquely associates sessions using charging-station identifiers, but does not prevent multiple endpoints from connecting with the same session identifier. That creates predictable identifiers and enables session hijacking or shadowing: the newest connection can replace the legitimate station and receive backend commands for that station. The advisory also notes the issue can be abused to overwhelm the backend with valid session requests, creating a denial-of-service condition. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, scored 7.3 (High).

Defensive priority

High if any affected backend is still reachable; otherwise medium for decommissioning and credential hygiene because the advisory says the platform was shut down on 2025-12-01. Prioritize verification of exposure, session isolation, and monitoring for duplicate station identifiers.

Recommended defensive actions

  • Confirm whether any Everon OCPP backend instance or dependent integration is still reachable; if the advisory’s shutdown note is accurate, remove trust in the service and decommission related credentials and routes.
  • Ensure session identifiers are unique, unpredictable, and not derived directly from charging-station identifiers.
  • Reject duplicate logins or duplicate station bindings for the same session context; terminate stale sessions explicitly.
  • Monitor for repeated connection attempts using the same station identifier and investigate any shadowing or displacement behavior.
  • Review CISA industrial control system recommended practices for access control, segmentation, logging, and resilience.
  • Audit backend logs and configuration for any station identifiers, credentials, or integrations that may still be trusted after the platform shutdown note.

Evidence notes

All claims are drawn from the supplied CISA CSAF advisory and its metadata. The advisory explicitly says the WebSocket backend uses charging-station identifiers as session identifiers, allows multiple endpoints to connect with the same identifier, and can enable session hijacking/shadowing and denial of service. The supplied remediation field states that Everon shut down its platform on 2025-12-01. Vendor attribution in the supplied metadata is low-confidence and marked as needing review, so this debrief avoids asserting more specific vendor identity than the source supports.

Official resources

Publicly disclosed by CISA in CSAF advisory ICSA-26-062-08 on 2026-03-03; the source metadata shows initial publication on the same date. The advisory also includes a remediation note that Everon shut down its platform on 2025-12-01.