Search criteria
8 vulnerabilities found for ev2go.io by EV2GO
CVE-2026-25945 (GCVE-0-2026-25945)
Vulnerability from nvd – Published: 2026-02-26 23:46 – Updated: 2026-02-26 23:46
VLAI?
Title
EV2GO ev2go.io Improper Restriction of Excessive Authentication Attempts
Summary
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
Severity ?
7.5 (High)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ev2go.io",
"vendor": "EV2GO",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The WebSocket Application Programming Interface lacks restrictions on \nthe number of authentication requests. This absence of rate limiting may\n allow an attacker to conduct denial-of-service attacks by suppressing \nor mis-routing legitimate charger telemetry, or conduct brute-force \nattacks to gain unauthorized access."
}
],
"value": "The WebSocket Application Programming Interface lacks restrictions on \nthe number of authentication requests. This absence of rate limiting may\n allow an attacker to conduct denial-of-service attacks by suppressing \nor mis-routing legitimate charger telemetry, or conduct brute-force \nattacks to gain unauthorized access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T23:46:14.876Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://ev2go.io/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"
}
],
"source": {
"advisory": "ICSA-26-057-04",
"discovery": "EXTERNAL"
},
"title": "EV2GO ev2go.io Improper Restriction of Excessive Authentication Attempts",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ev2go.io/\"\u003ehttps://ev2go.io/\u003c/a\u003e for more information.\n\n\u003cbr\u003e"
}
],
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: https://ev2go.io/ for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-25945",
"datePublished": "2026-02-26T23:46:14.876Z",
"dateReserved": "2026-02-23T23:41:36.747Z",
"dateUpdated": "2026-02-26T23:46:14.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24731 (GCVE-0-2026-24731)
Vulnerability from nvd – Published: 2026-02-26 23:43 – Updated: 2026-02-26 23:52
VLAI?
Title
EV2GO ev2go.io Missing Authentication for Critical Function
Summary
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
Severity ?
9.4 (Critical)
CWE
Assigner
References
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ev2go.io",
"vendor": "EV2GO",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WebSocket endpoints lack proper authentication mechanisms, enabling \nattackers to perform unauthorized station impersonation and manipulate \ndata sent to the backend. An unauthenticated attacker can connect to the\n OCPP WebSocket endpoint using a known or discovered charging station \nidentifier, then issue or receive OCPP commands as a legitimate charger.\n Given that no authentication is required, this can lead to privilege \nescalation, unauthorized control of charging infrastructure, and \ncorruption of charging network data reported to the backend."
}
],
"value": "WebSocket endpoints lack proper authentication mechanisms, enabling \nattackers to perform unauthorized station impersonation and manipulate \ndata sent to the backend. An unauthenticated attacker can connect to the\n OCPP WebSocket endpoint using a known or discovered charging station \nidentifier, then issue or receive OCPP commands as a legitimate charger.\n Given that no authentication is required, this can lead to privilege \nescalation, unauthorized control of charging infrastructure, and \ncorruption of charging network data reported to the backend."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T23:52:30.793Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://ev2go.io/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"
}
],
"source": {
"advisory": "ICSA-26-057-04",
"discovery": "EXTERNAL"
},
"title": "EV2GO ev2go.io Missing Authentication for Critical Function",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ev2go.io/\"\u003ehttps://ev2go.io/\u003c/a\u003e for more information.\n\n\u003cbr\u003e"
}
],
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: https://ev2go.io/ for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-24731",
"datePublished": "2026-02-26T23:43:51.003Z",
"dateReserved": "2026-02-23T23:41:36.757Z",
"dateUpdated": "2026-02-26T23:52:30.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22890 (GCVE-0-2026-22890)
Vulnerability from nvd – Published: 2026-02-26 23:50 – Updated: 2026-02-26 23:50
VLAI?
Title
EV2GO ev2go.io Insufficiently Protected Credentials
Summary
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Severity ?
6.5 (Medium)
CWE
Assigner
References
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ev2go.io",
"vendor": "EV2GO",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Charging station authentication identifiers are publicly accessible via web-based mapping platforms."
}
],
"value": "Charging station authentication identifiers are publicly accessible via web-based mapping platforms."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T23:50:56.274Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://ev2go.io/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"
}
],
"source": {
"advisory": "ICSA-26-057-04",
"discovery": "EXTERNAL"
},
"title": "EV2GO ev2go.io Insufficiently Protected Credentials",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ev2go.io/\"\u003ehttps://ev2go.io/\u003c/a\u003e for more information.\n\n\u003cbr\u003e"
}
],
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: https://ev2go.io/ for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-22890",
"datePublished": "2026-02-26T23:50:56.274Z",
"dateReserved": "2026-02-23T23:41:36.723Z",
"dateUpdated": "2026-02-26T23:50:56.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20895 (GCVE-0-2026-20895)
Vulnerability from nvd – Published: 2026-02-26 23:48 – Updated: 2026-02-26 23:51
VLAI?
Title
EV2GO ev2go.io Insufficient Session Expiration
Summary
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.
Severity ?
7.3 (High)
CWE
Assigner
References
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ev2go.io",
"vendor": "EV2GO",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests."
}
],
"value": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T23:51:53.584Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://ev2go.io/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"
}
],
"source": {
"advisory": "ICSA-26-057-04",
"discovery": "EXTERNAL"
},
"title": "EV2GO ev2go.io Insufficient Session Expiration",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ev2go.io/\"\u003ehttps://ev2go.io/\u003c/a\u003e for more information.\n\n\u003cbr\u003e"
}
],
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: https://ev2go.io/ for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-20895",
"datePublished": "2026-02-26T23:48:03.827Z",
"dateReserved": "2026-02-23T23:41:36.739Z",
"dateUpdated": "2026-02-26T23:51:53.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22890 (GCVE-0-2026-22890)
Vulnerability from cvelistv5 – Published: 2026-02-26 23:50 – Updated: 2026-02-26 23:50
VLAI?
Title
EV2GO ev2go.io Insufficiently Protected Credentials
Summary
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Severity ?
6.5 (Medium)
CWE
Assigner
References
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ev2go.io",
"vendor": "EV2GO",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Charging station authentication identifiers are publicly accessible via web-based mapping platforms."
}
],
"value": "Charging station authentication identifiers are publicly accessible via web-based mapping platforms."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T23:50:56.274Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://ev2go.io/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"
}
],
"source": {
"advisory": "ICSA-26-057-04",
"discovery": "EXTERNAL"
},
"title": "EV2GO ev2go.io Insufficiently Protected Credentials",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ev2go.io/\"\u003ehttps://ev2go.io/\u003c/a\u003e for more information.\n\n\u003cbr\u003e"
}
],
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: https://ev2go.io/ for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-22890",
"datePublished": "2026-02-26T23:50:56.274Z",
"dateReserved": "2026-02-23T23:41:36.723Z",
"dateUpdated": "2026-02-26T23:50:56.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20895 (GCVE-0-2026-20895)
Vulnerability from cvelistv5 – Published: 2026-02-26 23:48 – Updated: 2026-02-26 23:51
VLAI?
Title
EV2GO ev2go.io Insufficient Session Expiration
Summary
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.
Severity ?
7.3 (High)
CWE
Assigner
References
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ev2go.io",
"vendor": "EV2GO",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests."
}
],
"value": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T23:51:53.584Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://ev2go.io/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"
}
],
"source": {
"advisory": "ICSA-26-057-04",
"discovery": "EXTERNAL"
},
"title": "EV2GO ev2go.io Insufficient Session Expiration",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ev2go.io/\"\u003ehttps://ev2go.io/\u003c/a\u003e for more information.\n\n\u003cbr\u003e"
}
],
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: https://ev2go.io/ for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-20895",
"datePublished": "2026-02-26T23:48:03.827Z",
"dateReserved": "2026-02-23T23:41:36.739Z",
"dateUpdated": "2026-02-26T23:51:53.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25945 (GCVE-0-2026-25945)
Vulnerability from cvelistv5 – Published: 2026-02-26 23:46 – Updated: 2026-02-26 23:46
VLAI?
Title
EV2GO ev2go.io Improper Restriction of Excessive Authentication Attempts
Summary
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
Severity ?
7.5 (High)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ev2go.io",
"vendor": "EV2GO",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The WebSocket Application Programming Interface lacks restrictions on \nthe number of authentication requests. This absence of rate limiting may\n allow an attacker to conduct denial-of-service attacks by suppressing \nor mis-routing legitimate charger telemetry, or conduct brute-force \nattacks to gain unauthorized access."
}
],
"value": "The WebSocket Application Programming Interface lacks restrictions on \nthe number of authentication requests. This absence of rate limiting may\n allow an attacker to conduct denial-of-service attacks by suppressing \nor mis-routing legitimate charger telemetry, or conduct brute-force \nattacks to gain unauthorized access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T23:46:14.876Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://ev2go.io/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"
}
],
"source": {
"advisory": "ICSA-26-057-04",
"discovery": "EXTERNAL"
},
"title": "EV2GO ev2go.io Improper Restriction of Excessive Authentication Attempts",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ev2go.io/\"\u003ehttps://ev2go.io/\u003c/a\u003e for more information.\n\n\u003cbr\u003e"
}
],
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: https://ev2go.io/ for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-25945",
"datePublished": "2026-02-26T23:46:14.876Z",
"dateReserved": "2026-02-23T23:41:36.747Z",
"dateUpdated": "2026-02-26T23:46:14.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24731 (GCVE-0-2026-24731)
Vulnerability from cvelistv5 – Published: 2026-02-26 23:43 – Updated: 2026-02-26 23:52
VLAI?
Title
EV2GO ev2go.io Missing Authentication for Critical Function
Summary
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
Severity ?
9.4 (Critical)
CWE
Assigner
References
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ev2go.io",
"vendor": "EV2GO",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WebSocket endpoints lack proper authentication mechanisms, enabling \nattackers to perform unauthorized station impersonation and manipulate \ndata sent to the backend. An unauthenticated attacker can connect to the\n OCPP WebSocket endpoint using a known or discovered charging station \nidentifier, then issue or receive OCPP commands as a legitimate charger.\n Given that no authentication is required, this can lead to privilege \nescalation, unauthorized control of charging infrastructure, and \ncorruption of charging network data reported to the backend."
}
],
"value": "WebSocket endpoints lack proper authentication mechanisms, enabling \nattackers to perform unauthorized station impersonation and manipulate \ndata sent to the backend. An unauthenticated attacker can connect to the\n OCPP WebSocket endpoint using a known or discovered charging station \nidentifier, then issue or receive OCPP commands as a legitimate charger.\n Given that no authentication is required, this can lead to privilege \nescalation, unauthorized control of charging infrastructure, and \ncorruption of charging network data reported to the backend."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T23:52:30.793Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://ev2go.io/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"
}
],
"source": {
"advisory": "ICSA-26-057-04",
"discovery": "EXTERNAL"
},
"title": "EV2GO ev2go.io Missing Authentication for Critical Function",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ev2go.io/\"\u003ehttps://ev2go.io/\u003c/a\u003e for more information.\n\n\u003cbr\u003e"
}
],
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: https://ev2go.io/ for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-24731",
"datePublished": "2026-02-26T23:43:51.003Z",
"dateReserved": "2026-02-23T23:41:36.757Z",
"dateUpdated": "2026-02-26T23:52:30.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}