CVE-2026-20895 Unknown Vendor CVE debrief

Who should care

Operators and administrators of EV2GO deployments, especially teams managing WebSocket-connected charging infrastructure, should treat this as a high-priority authentication and session integrity issue. Security teams monitoring industrial or operational technology networks should also care because the impact includes unauthorized command delivery and service disruption.

Technical summary

The advisory describes predictable session identifiers in a WebSocket backend. The system uses charging station identifiers to uniquely associate sessions, but it allows multiple endpoints to connect using the same identifier. As a result, the most recent connection can replace the legitimate station in the backend session mapping and receive commands meant for the displaced session. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, which indicates network exposure, low attack complexity, no privileges required, and potential confidentiality, integrity, and availability impact.

Defensive priority

High. The flaw is remotely reachable, requires no prior privileges or user interaction according to the supplied CVSS vector, and can affect both command integrity and availability. Prioritize authentication hardening, session uniqueness, and monitoring for duplicate or conflicting session registrations.

Recommended defensive actions

• Review how WebSocket sessions are created, named, and validated in EV2GO deployments and ensure session identifiers are unpredictable and unique per connection.
• Reject or quarantine duplicate session attempts so that one charging station identifier cannot be used to shadow an existing authenticated session.
• Bind backend commands to authenticated device identity, not only to a client-supplied or predictable session key.
• Add monitoring and alerting for repeated session re-registration, duplicate identifiers, and unexpected session displacement events.
• Apply rate limiting or connection controls to reduce abuse through floods of valid session requests.
• Follow CISA industrial control systems recommended practices and defense-in-depth guidance referenced in the advisory.
• Contact EV2GO via the vendor contact page for product-specific remediation guidance, since CISA states the vendor did not respond to coordination efforts.

Evidence notes

All core findings come from the CISA CSAF advisory text for ICSA-26-057-04 and its referenced official links. The advisory explicitly states that the WebSocket backend uses charging station identifiers, allows multiple endpoints with the same session identifier, and can result in session hijacking/shadowing and denial of service. The published and modified dates supplied in the source are 2026-02-26T07:00:00.000Z. No exploit steps or reproduction details are included here.

Official resources