Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable WebSocket, no auth (PR:N) due to predictable guessable session IDs, low complexity; impersonation gives limited C/I and the flooding path gives limited A.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
AnalysisAI
Authentication bypass and denial-of-service in Evoke Systems' Evoke CSMS electric-vehicle charging station management system stems from predictable WebSocket session identifiers derived from charging station IDs, with no enforcement against duplicate session reuse. Remote unauthenticated attackers can guess or reuse a session identifier to impersonate another charging station/user, or flood the backend with valid session requests to exhaust resources. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the Evoke CSMS WebSocket/OCPP backend and knowledge or guessing of a valid charging-station identifier - which is feasible because the description states session identifiers are predictable and the backend permits multiple endpoints to connect with the same session identifier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, base 7.3 High) indicates a network-reachable, low-complexity, unauthenticated attack with low impact across confidentiality, integrity, and availability - consistent with session impersonation plus a DoS path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates or guesses a target charging station's identifier and opens a WebSocket connection to the internet-exposed Evoke CSMS, binding the same predictable session identifier to impersonate that station/user without credentials. Alternatively, the attacker scripts a flood of valid-looking session requests to exhaust backend resources and deny service to legitimate charge points. … |
| Remediation | No vendor-released patch version is identified in the available data; consult the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02 and contact Evoke Systems directly via https://evokesystems.com/contact-us/ for an updated/fixed release and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
**Within 24 hours:** Inventory all Evoke CSMS deployments; isolate systems to restricted network segments; alert operations and security teams; enable enhanced WebSocket endpoint logging. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Evoke Csms
View allAuthentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated a
Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management sy
Evoke CSMS exposes charging station authentication identifiers through public web-based mapping platforms, allowing unau
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39566
GHSA-79m4-gx9c-j55f