Everon API CVE-2026-26288
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
AnalysisAI
Unauthenticated remote attackers can impersonate electric vehicle charging stations in Everon's api.everon.io platform via unprotected OCPP WebSocket endpoints. By connecting with a known or discovered station identifier, attackers gain full control to issue OCPP commands as legitimate chargers, manipulate charging session data, escalate privileges within the charging network infrastructure, and corrupt backend telemetry. CISA ICS-CERT reports this vulnerability affecting critical EV charging infrastructure. Despite 9.3 CVSS score indicating critical severity, EPSS score of 0.09% (25th percentile) suggests exploitation requires specialized knowledge of OCPP protocol and charging network architecture rather than mass automated scanning.
Technical ContextAI
This vulnerability affects the Open Charge Point Protocol (OCPP) WebSocket implementation in Everon's backend API platform (api.everon.io). OCPP is the industry-standard communication protocol between EV charging stations and central management systems, typically operating over WebSocket transport for bidirectional real-time messaging. The flaw represents CWE-306 (Missing Authentication for Critical Function), where the OCPP WebSocket endpoint accepts connections without validating the identity of connecting charging stations. In properly secured OCPP deployments, charging stations authenticate via HTTP Basic Auth, client certificates, or token-based mechanisms during WebSocket handshake. The absence of these controls allows any network-accessible client to establish WebSocket connections and participate in OCPP message exchanges by simply knowing or guessing valid charging station identifiers, which may be predictable or discoverable through enumeration.
RemediationAI
Primary remediation requires implementing authentication mechanisms on all OCPP WebSocket endpoints per CISA ICS-CERT guidance at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08. Consult the advisory for vendor-provided patches or configuration changes. Until vendor patches are applied, implement compensating controls: restrict network access to OCPP WebSocket endpoints using firewall rules permitting only known charging station IP addresses (requires maintaining IP allowlist, breaks mobility for cellular-connected chargers); deploy mutual TLS (mTLS) authentication requiring client certificates for WebSocket handshake (adds certificate management overhead but provides strong cryptographic identity verification); implement application-layer authentication tokens in WebSocket subprotocol negotiation (requires custom development if not supported by Everon platform); monitor WebSocket connections for unauthorized station identifiers and anomalous OCPP command patterns using network IDS rules. Network segmentation alone is insufficient as it does not prevent impersonation by compromised stations within the trusted zone. Organizations should audit existing charging station identifiers for predictability and implement randomized identifier schemes to prevent enumeration attacks.
More in Api Everon Io
View allRemote denial-of-service and credential brute-force attacks against Everon's api.everon.io WebSocket interface allow una
WebSocket session management in charging station backends allows multiple connections using identical session identifier
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today