Skip to main content

Evoke CSMS EUVDEUVD-2026-39564

| CVE-2026-44622 MEDIUM
Insufficiently Protected Credentials (CWE-522)
2026-06-25 icscert GHSA-mr33-r399-w43m
6.9
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Public mapping platform exposure requires no privileges or interaction; direct integrity impact is not confirmed by description alone, so I:N is assessed pending vendor clarification.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 25, 2026 - 22:22 NVD
6.5 (MEDIUM) 6.9 (MEDIUM)
Analysis Generated
Jun 25, 2026 - 21:58 vuln.today

DescriptionCVE.org

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

AnalysisAI

Evoke CSMS exposes charging station authentication identifiers through public web-based mapping platforms, allowing unauthenticated network actors to harvest credentials with no special access or interaction. Classified under CWE-522 (Insufficiently Protected Credentials) and reported by ICS-CERT via advisory ICSA-26-176-02, this flaw affects all tracked versions of the Evoke Charging Station Management System across its entire version history per the wildcard CPE. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access public EV station mapping platform
Delivery
Query or scrape station listing data
Exploit
Harvest exposed authentication identifiers
Execution
Submit identifiers to Evoke CSMS or charge point
Persist
Authenticate as trusted charge point
Impact
Initiate unauthorized charging session

Vulnerability AssessmentAI

Exploitation Evoke CSMS must be integrated with one or more public web-based mapping platforms that surface authentication identifier fields in their externally accessible station data - this integration is the specific, concrete configuration condition driving the exposure. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N reflects trivially accessible, unauthenticated exposure requiring no complexity or user interaction, while the S:U, C:L, and I:L components constrain the overall impact rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker accesses a public web-based EV charging station mapping platform and queries or scrapes the station listing data for a target Evoke CSMS deployment, extracting exposed authentication identifiers without any authentication or special tooling. Using those harvested identifiers, the attacker could potentially submit them to the Evoke CSMS backend or individual charge points to authenticate as a trusted entity, enabling unauthorized charging session initiation or manipulation of authorization records. …
Remediation No vendor-released patch version was identified in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39564 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy