Skip to main content

Evoke CSMS EUVDEUVD-2026-39566

| CVE-2026-54479 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-06-25 icscert GHSA-79m4-gx9c-j55f
6.9
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
6.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Network-reachable WebSocket, no auth (PR:N) due to predictable guessable session IDs, low complexity; impersonation gives limited C/I and the flooding path gives limited A.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 25, 2026 - 22:22 NVD
HIGH MEDIUM
CVSS changed
Jun 25, 2026 - 22:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Jun 25, 2026 - 21:52 vuln.today

DescriptionCVE.org

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

AnalysisAI

Authentication bypass and denial-of-service in Evoke Systems' Evoke CSMS electric-vehicle charging station management system stems from predictable WebSocket session identifiers derived from charging station IDs, with no enforcement against duplicate session reuse. Remote unauthenticated attackers can guess or reuse a session identifier to impersonate another charging station/user, or flood the backend with valid session requests to exhaust resources. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed CSMS WebSocket endpoint
Delivery
Guess valid charging-station session ID
Exploit
Reuse/duplicate predictable session identifier
Execution
Impersonate station or flood backend
Impact
Unauthorized access or denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the Evoke CSMS WebSocket/OCPP backend and knowledge or guessing of a valid charging-station identifier - which is feasible because the description states session identifiers are predictable and the backend permits multiple endpoints to connect with the same session identifier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, base 7.3 High) indicates a network-reachable, low-complexity, unauthenticated attack with low impact across confidentiality, integrity, and availability - consistent with session impersonation plus a DoS path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates or guesses a target charging station's identifier and opens a WebSocket connection to the internet-exposed Evoke CSMS, binding the same predictable session identifier to impersonate that station/user without credentials. Alternatively, the attacker scripts a flood of valid-looking session requests to exhaust backend resources and deny service to legitimate charge points. …
Remediation No vendor-released patch version is identified in the available data; consult the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02 and contact Evoke Systems directly via https://evokesystems.com/contact-us/ for an updated/fixed release and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

**Within 24 hours:** Inventory all Evoke CSMS deployments; isolate systems to restricted network segments; alert operations and security teams; enable enhanced WebSocket endpoint logging. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39566 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy