Skip to main content

Evoke CSMS EUVDEUVD-2026-39569

| CVE-2026-40702 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-25 icscert GHSA-v97x-26qp-3g45
9.3
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.4 CRITICAL

Network-reachable WebSocket with no authentication gives AV:N/AC:L/PR:N/UI:N; impersonation exposes data and allows unauthorized actions (C:H/I:H) with limited availability impact (A:L), scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 25, 2026 - 22:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 25, 2026 - 22:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 25, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Jun 25, 2026 - 22:22 NVD
9.4 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Jun 25, 2026 - 21:53 vuln.today

DescriptionCVE.org

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.

AnalysisAI

Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach CSMS WebSocket endpoint
Delivery
Open unauthenticated WebSocket connection
Exploit
Impersonate a charging station identity
Execution
Send OCPP commands / read data
Persist
Escalate privileges in backend
Impact
Compromise charging management system

Vulnerability AssessmentAI

Exploitation The only prerequisite is network access to the Evoke CSMS WebSocket endpoint used by charging stations; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) and the description's statement that no authentication is required, exploitation works against default configurations without credentials or user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to genuine high priority: the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes a network-reachable, low-complexity attack needing no privileges or user interaction, with High confidentiality and integrity impact and Low availability impact (VC:H/VI:H/VA:L), yielding a Critical 9.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the CSMS WebSocket endpoint over the network opens a connection and, because no credentials are checked, registers as an existing or arbitrary charging station identifier. They then issue OCPP messages to read transaction, meter, and configuration data and to send unauthorized control or configuration commands, pivoting toward privilege escalation across the management backend. …
Remediation No vendor-released patch version is identified in the available data, so confirm the fixed release directly with Evoke Systems (https://evokesystems.com/contact-us/) and review the CISA advisory ICSA-26-176-02 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02) for vendor-supplied guidance before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Inventory all Evoke CSMS deployments and network exposure; implement firewall rules restricting external access to WebSocket endpoints if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39569 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy