PatchSiren cyber security CVE debrief
CVE-2026-26288 Unknown Vendor CVE debrief
CVE-2026-26288 is an authentication failure in Everon’s OCPP backend WebSocket endpoints. CISA says an unauthenticated attacker who knows or discovers a charging-station identifier can connect as a legitimate charger, issue or receive OCPP commands, and corrupt backend data. The advisory was published on 2026-03-03, and its remediation note says Everon shut down its platform on 2025-12-01, which matters when assessing any remaining exposure.
- Vendor
- Unknown Vendor
- Product
- Everon api.everon.io vers:all/*
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-03
- Original CVE updated
- 2026-03-03
- Advisory published
- 2026-03-03
- Advisory updated
- 2026-03-03
Who should care
Operators and integrators of EV charging infrastructure using Everon api.everon.io; OT/ICS security teams; SOC and incident-response teams; and anyone responsible for historical data, backend integrations, or inherited OCPP telemetry/control paths.
Technical summary
The advisory describes a network-reachable OCPP WebSocket endpoint with missing authentication (CWE-306). Because no authentication is required, a remote attacker can impersonate a charger by using a known or discovered station identifier and then interact with the backend as if it were a legitimate endpoint. CISA’s provided CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L, reflecting high impact to confidentiality and integrity with some availability impact.
Defensive priority
Critical. A remotely reachable, unauthenticated control-plane weakness affecting charging infrastructure should be treated as urgent to validate, isolate, or retire.
Recommended defensive actions
- Confirm whether any Everon OCPP WebSocket endpoint or dependent integration is still reachable; if so, isolate or disable it pending replacement.
- Review backend logs for unknown charging-station identifiers, unusual OCPP session patterns, unexpected command traffic, and signs of data tampering.
- Revoke or replace any station identifiers, trust material, keys, or credentials associated with affected integrations, where applicable.
- Apply strict network segmentation and access controls around charging backends; require strong authentication for any replacement service or migration path.
- Validate the integrity of charging-session, metering, and operational data collected during the exposure window and re-sync from trusted sources where possible.
- Use CISA ICS recommended practices for monitoring, defense-in-depth, and incident handling around industrial control and charging systems.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-062-08 / CVE-2026-26288 and its listed references. The source states that WebSocket endpoints lacked proper authentication, enabling unauthorized station impersonation and backend manipulation. The advisory’s remediation note reports that Everon shut down its platform on 2025-12-01. The published advisory date is 2026-03-03; that date is used as the CVE publication context here.
Official resources
-
CVE-2026-26288 CVE record
CVE.org
-
CVE-2026-26288 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory for CVE-2026-26288 on 2026-03-03. The source remediation note states that Everon shut down its platform on 2025-12-01, so any current risk assessment should focus on whether any live, mirrored, or inherited OCPP