PatchSiren cyber security CVE debrief
CVE-2026-27770 Unknown Vendor CVE debrief
CISA published CVE-2026-27770 on 2026-03-03 for ePower epower.ie. The advisory says charging-station authentication identifiers are publicly accessible via web-based mapping platforms, which creates an information-exposure risk rather than a software-execution flaw. The CVSS v3.1 score is 6.5 (Medium); while the source does not report code execution or direct service disruption, exposed identifiers can assist reconnaissance and unauthorized access attempts against charging infrastructure.
- Vendor
- Unknown Vendor
- Product
- ePower epower.ie vers:all/*
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-03
- Original CVE updated
- 2026-03-03
- Advisory published
- 2026-03-03
- Advisory updated
- 2026-03-03
Who should care
Owners and operators of ePower/epower.ie charging stations, EV fleet charging administrators, OT/ICS security teams, and anyone responsible for station data published to web mapping platforms should review exposure immediately.
Technical summary
The advisory describes a network-reachable exposure of charging-station authentication identifiers through public mapping platforms. CISA rates the issue CVSS v3.1 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), consistent with low-complexity, unauthenticated access to sensitive identifiers and limited confidentiality/integrity impact. The advisory does not describe code execution, malware, or a direct availability impact; the primary concern is that exposed identifiers can be abused for targeting or unauthorized access workflows.
Defensive priority
Medium-to-high for operators with public EV charging assets; prioritize quickly if any station identifiers, management metadata, or mapping-platform listings are externally visible.
Recommended defensive actions
- Inventory all ePower/epower.ie charging assets and confirm which identifiers, metadata, or station details are publicly reachable through mapping platforms.
- Remove or minimize any authentication identifiers and other sensitive operational details from public mapping or directory services where possible.
- Review access controls, rotation options, and any downstream systems that reference the exposed identifiers.
- Monitor relevant logs for unusual lookups, enrollment attempts, or access patterns tied to publicly exposed station information.
- Contact ePower through the vendor support page referenced in the advisory and document any exposure-remediation guidance they provide.
- Apply CISA ICS recommended practices and defense-in-depth guidance for industrial control systems and connected charging infrastructure.
- Treat the advisory as an exposure-management issue even if no direct device compromise has been observed.
Evidence notes
Based on the CISA CSAF advisory ICSA-26-062-07 / CVE-2026-27770, published and modified on 2026-03-03, describing publicly accessible charging-station authentication identifiers via web-based mapping platforms. The advisory metadata lists the product as ePower / epower.ie / vers:all/* and includes CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5). CISA’s remediation text says ePower did not respond to CISA’s coordination request. Upstream enrichment in the provided corpus flags the vendor identity for review with low confidence, so the advisory naming should be preferred over any secondary vendor guesswork.
Official resources
-
CVE-2026-27770 CVE record
CVE.org
-
CVE-2026-27770 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA publicly disclosed CVE-2026-27770 on 2026-03-03. The advisory notes that ePower did not respond to CISA’s request for coordination.