Evoke Csms
Monthly
Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. CVSS 4.0 rates this 9.3 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though it is the subject of a CISA ICS advisory (ICSA-26-176-02).
Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management system) stems from its WebSocket API enforcing no rate limit on authentication requests, letting a remote, network-positioned attacker flood the authentication endpoint to exhaust resources or rapidly guess credentials for unauthorized access. CISA's ICS-CERT (advisory ICSA-26-176-02) coordinated this issue, which carries a CVSS 4.0 base of 8.7 driven by high availability impact. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Authentication bypass and denial-of-service in Evoke Systems' Evoke CSMS electric-vehicle charging station management system stems from predictable WebSocket session identifiers derived from charging station IDs, with no enforcement against duplicate session reuse. Remote unauthenticated attackers can guess or reuse a session identifier to impersonate another charging station/user, or flood the backend with valid session requests to exhaust resources. Reported to CISA by ICS-CERT (advisory ICSA-26-176-02); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Evoke CSMS exposes charging station authentication identifiers through public web-based mapping platforms, allowing unauthenticated network actors to harvest credentials with no special access or interaction. Classified under CWE-522 (Insufficiently Protected Credentials) and reported by ICS-CERT via advisory ICSA-26-176-02, this flaw affects all tracked versions of the Evoke Charging Station Management System across its entire version history per the wildcard CPE. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the zero-prerequisite exposure in an OT/energy infrastructure context represents a meaningful credential leakage risk for affected operators.
Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. CVSS 4.0 rates this 9.3 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though it is the subject of a CISA ICS advisory (ICSA-26-176-02).
Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management system) stems from its WebSocket API enforcing no rate limit on authentication requests, letting a remote, network-positioned attacker flood the authentication endpoint to exhaust resources or rapidly guess credentials for unauthorized access. CISA's ICS-CERT (advisory ICSA-26-176-02) coordinated this issue, which carries a CVSS 4.0 base of 8.7 driven by high availability impact. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Authentication bypass and denial-of-service in Evoke Systems' Evoke CSMS electric-vehicle charging station management system stems from predictable WebSocket session identifiers derived from charging station IDs, with no enforcement against duplicate session reuse. Remote unauthenticated attackers can guess or reuse a session identifier to impersonate another charging station/user, or flood the backend with valid session requests to exhaust resources. Reported to CISA by ICS-CERT (advisory ICSA-26-176-02); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Evoke CSMS exposes charging station authentication identifiers through public web-based mapping platforms, allowing unauthenticated network actors to harvest credentials with no special access or interaction. Classified under CWE-522 (Insufficiently Protected Credentials) and reported by ICS-CERT via advisory ICSA-26-176-02, this flaw affects all tracked versions of the Evoke Charging Station Management System across its entire version history per the wildcard CPE. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the zero-prerequisite exposure in an OT/energy infrastructure context represents a meaningful credential leakage risk for affected operators.