PatchSiren cyber security CVE debrief
CVE-2026-24731 Unknown Vendor CVE debrief
CVE-2026-24731 affects EV2GO ev2go.io and is rated Critical (CVSS 9.4). CISA’s advisory says WebSocket endpoints lack proper authentication, allowing an unauthenticated attacker to connect to the OCPP WebSocket endpoint with a known or discovered charging-station identifier, impersonate a legitimate charger, and manipulate data sent to the backend. The result can include unauthorized control of charging infrastructure, privilege escalation, and corruption of charging-network records.
- Vendor
- Unknown Vendor
- Product
- EV2GO ev2go.io vers:all/*
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
EV charging network operators, station fleet administrators, OT/security teams, backend platform owners, and integrators that expose or broker OCPP/WebSocket access for EV2GO deployments.
Technical summary
The core issue is missing authentication on WebSocket endpoints used for OCPP communications. According to the CISA CSAF, an attacker does not need credentials to connect, and can then issue or receive OCPP commands as if they were a legitimate charging station. Because station identity can be inferred or discovered, the attack can affect backend trust decisions and data integrity across the charging network. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L.
Defensive priority
Urgent. This is a network-reachable authentication failure with direct impact on integrity and control of charging infrastructure, so it should be treated as a high-priority exposure for any affected deployment.
Recommended defensive actions
- Restrict exposure of the OCPP/WebSocket service to trusted networks and management paths only.
- Add strong authentication and per-station authorization before any WebSocket or OCPP session is established.
- Review backend logic that accepts station identity and commands; reject unauthenticated or inconsistent session metadata.
- Audit logs for unusual station identifiers, repeated connection attempts, or unexpected command/response patterns.
- Check all EV2GO-connected charging assets for backend data inconsistencies or unexplained control actions.
- Contact EV2GO for remediation guidance and monitor CISA/CVE updates for any vendor response or fix information.
- Apply network segmentation and access control around charging infrastructure while remediation is pending.
Evidence notes
All core facts are drawn from the supplied CISA CSAF advisory for ICSA-26-057-04 / CVE-2026-24731, published 2026-02-26. The advisory states that WebSocket endpoints lack proper authentication, that an unauthenticated attacker can use a known or discovered charging-station identifier to impersonate a charger and send/receive OCPP commands, and that this can cause privilege escalation, unauthorized control, and corruption of backend-reported data. The source also notes EV2GO did not respond to CISA’s coordination request. Vendor/product attribution in the source corpus is marked low confidence and needs review.
Official resources
-
CVE-2026-24731 CVE record
CVE.org
-
CVE-2026-24731 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-057-04 / CVE-2026-24731 on 2026-02-26. The advisory says EV2GO did not respond to CISA’s coordination request. The vendor attribution in the supplied data is low confidence and should be treated as needing review.