Skip to main content

Evoke Csms

4 CVEs product

Monthly

CVE-2026-40702 CRITICAL CISA Emergency

Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. CVSS 4.0 rates this 9.3 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though it is the subject of a CISA ICS advisory (ICSA-26-176-02).

Authentication Bypass Privilege Escalation Information Disclosure Evoke Csms
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-50176 HIGH CISA Act Now

Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management system) stems from its WebSocket API enforcing no rate limit on authentication requests, letting a remote, network-positioned attacker flood the authentication endpoint to exhaust resources or rapidly guess credentials for unauthorized access. CISA's ICS-CERT (advisory ICSA-26-176-02) coordinated this issue, which carries a CVSS 4.0 base of 8.7 driven by high availability impact. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-54479 MEDIUM CISA This Month

Authentication bypass and denial-of-service in Evoke Systems' Evoke CSMS electric-vehicle charging station management system stems from predictable WebSocket session identifiers derived from charging station IDs, with no enforcement against duplicate session reuse. Remote unauthenticated attackers can guess or reuse a session identifier to impersonate another charging station/user, or flood the backend with valid session requests to exhaust resources. Reported to CISA by ICS-CERT (advisory ICSA-26-176-02); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-44622 MEDIUM CISA This Month

Evoke CSMS exposes charging station authentication identifiers through public web-based mapping platforms, allowing unauthenticated network actors to harvest credentials with no special access or interaction. Classified under CWE-522 (Insufficiently Protected Credentials) and reported by ICS-CERT via advisory ICSA-26-176-02, this flaw affects all tracked versions of the Evoke Charging Station Management System across its entire version history per the wildcard CPE. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the zero-prerequisite exposure in an OT/energy infrastructure context represents a meaningful credential leakage risk for affected operators.

Information Disclosure Evoke Csms
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
EPSS 0% CVSS 9.3
CRITICAL Emergency

Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. CVSS 4.0 rates this 9.3 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though it is the subject of a CISA ICS advisory (ICSA-26-176-02).

Authentication Bypass Privilege Escalation Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH Act Now

Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management system) stems from its WebSocket API enforcing no rate limit on authentication requests, letting a remote, network-positioned attacker flood the authentication endpoint to exhaust resources or rapidly guess credentials for unauthorized access. CISA's ICS-CERT (advisory ICSA-26-176-02) coordinated this issue, which carries a CVSS 4.0 base of 8.7 driven by high availability impact. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Authentication bypass and denial-of-service in Evoke Systems' Evoke CSMS electric-vehicle charging station management system stems from predictable WebSocket session identifiers derived from charging station IDs, with no enforcement against duplicate session reuse. Remote unauthenticated attackers can guess or reuse a session identifier to impersonate another charging station/user, or flood the backend with valid session requests to exhaust resources. Reported to CISA by ICS-CERT (advisory ICSA-26-176-02); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Evoke CSMS exposes charging station authentication identifiers through public web-based mapping platforms, allowing unauthenticated network actors to harvest credentials with no special access or interaction. Classified under CWE-522 (Insufficiently Protected Credentials) and reported by ICS-CERT via advisory ICSA-26-176-02, this flaw affects all tracked versions of the Evoke Charging Station Management System across its entire version history per the wildcard CPE. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the zero-prerequisite exposure in an OT/energy infrastructure context represents a meaningful credential leakage risk for affected operators.

Information Disclosure Evoke Csms
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy