EVoke Systems Charging Station Management System
EVoke Systems Charging Station Management System affected by four critical vulnerabilities enabling unauthorized
Summary
CISA issued an advisory for EVoke Systems Charging Station Management System (CSMS) disclosing four critical vulnerabilities affecting all versions worldwide. The flaws include missing WebSocket authentication (CVE-2026-40702), lack of rate limiting on authentication requests (CVE-2026-50176), insufficient session expiration with predictable identifiers (CVE-2026-54479), and publicly accessible charging station credentials via web-based platforms (CVE-2026-44622). Exploitation could enable attackers to gain unauthorized administrative control or disrupt charging services through denial-of-service attacks.
Full text
ICS Advisory EVoke Systems Charging Station Management System Release DateJune 25, 2026 Alert CodeICSA-26-176-02 Related topics: Industrial Control System Vulnerabilities , Industrial Control Systems View CSAF Summary Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks. The following versions of EVoke Systems Charging Station Management System are affected: EVoke CSMS vers:all/* CVSS Vendor Equipment Vulnerabilities v3 9.4 EVoke Systems EVoke Systems Charging Station Management System Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials Background Critical Infrastructure Sectors: Energy, Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-40702 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system. View CVE Details Affected Products EVoke Systems Charging Station Management System Vendor:EVoke Systems Product Version:EVoke Systems EVoke CSMS: vers:all/* Product Status:known_affected Remediations Vendor fixEVoke states that as a hardware-agnostic platform supporting multiple charger Original Equipment Manufacturers OEMs, EVoke must interoperate with EVSE devices that support different OCPP security profiles depending on the firmware capabilities of the charger. EVoke CSMS currently supports all OCPP security profiles (0–3). However, the effective security configuration for a charger connection is determined by the security profile implemented in the EVSE firmware. Some legacy chargers deployed in the network support only Security Profile 0 or 1. These chargers were installed prior to the broader industry adoption of stronger authentication mechanisms defined in OCPP Security Profiles 2 and 3. EVoke is actively working with charger OEM partners to migrate supported devices to Security Profile 2 (TLS encryption with basic authentication) or Security Profile 3 (Mutual TLS authentication using client certificates). For OEMs that continue to support firmware updates, EVoke will prioritize upgrades to enable Security Profiles 2 or 3. Vendor fixEVoke states that certain legacy charger models deployed on the network are no longer supported by the manufacturer (for example, chargers originally produced by EVBox). These devices cannot be upgraded to support stronger security profiles. For chargers limited to Security Profiles 0 or 1, EVoke is implementing additional server-side protections to mitigate spoofing risks. Allow-listed chargers will only be accepted from chargers whose IDs are registered in the EVoke CSMS inventory database. Unknown charger identifiers will be rejected. MitigationEVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers. MitigationEVoke states that the platform will monitor session anomalies including repeated connection attempts, unexpected IP address changes, and abnormal message patterns. Security events will be logged and flagged for operational review. MitigationEVoke states that to address the risk of denial-of-service via repeated authentication attempts, EVoke will implement connection rate limiting at the WebSocket gateway layer. These controls will restrict excessive connection attempts from the same source and temporarily block abusive traffic patterns. MitigationEVoke states they are developing a lifecycle policy for legacy chargers that cannot support modern OCPP security profiles. This policy will include identification of unsupported EVSE models and risk classification Migration planning with site operators where possible MitigationContact EVoke using their contact page: https://evokesystems.com/contact-us/ for more information.https://evokesystems.com/contact-us/ Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L 4.0 9.3 CRITICAL https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVE-2026-50176 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access. View CVE Details Affected Products EVoke Systems Charging Station Management System Vendor:EVoke Systems Product Version:EVoke Systems EVoke CSMS: vers:all/* Product Status:known_affected Remediations Vendor fixEVoke states that as a hardware-agnostic platform supporting multiple charger Original Equipment Manufacturers OEMs, EVoke must interoperate with EVSE devices that support different OCPP security profiles depending on the firmware capabilities of the charger. EVoke CSMS currently supports all OCPP security profiles (0–3). However, the effective security configuration for a charger connection is determined by the security profile implemented in the EVSE firmware. Some legacy chargers deployed in the network support only Security Profile 0 or 1. These chargers were installed prior to the broader industry adoption of stronger authentication mechanisms defined in OCPP Security Profiles 2 and 3. EVoke is actively working with charger OEM partners to migrate supported devices to Security Profile 2 (TLS encryption with basic authentication) or Security Profile 3 (Mutual TLS authentication using client certificates). For OEMs that continue to support firmware updates, EVoke will prioritize upgrades to enable Security Profiles 2 or 3. Vendor fixEVoke states that certain legacy charger models deployed on the network are no longer supported by the manufacturer (for example, chargers originally produced by EVBox). These devices cannot be upgraded to support stronger security profiles. For chargers limited to Security Profiles 0 or 1, EVoke is implementing additional server-side protections to mitigate spoofing risks. Allow-listed chargers will only be accepted from chargers whose IDs are registered in the EVoke CSMS inventory database. Unknown charger identifiers will be rejected. MitigationEVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers. MitigationEVoke states that the platform will monitor session anomalies including repeated connection attempts, unexpected IP address changes, and abnormal message patterns. Security events will be logged and flagged for operational review. MitigationEVoke states that to address the risk of denial-of-service via repeated authentication attempts, EVoke will implement connection rate limiting at the WebSocket gateway layer. These controls will restrict excessive connection attempts from the same source and temporarily block abusive traffic patterns. MitigationEVoke states they are developing a lifecycle policy for legacy chargers that cannot support mo
Indicators of Compromise
- cve — CVE-2026-40702
- cve — CVE-2026-50176
- cve — CVE-2026-54479
- cve — CVE-2026-44622
- url — https://evokesystems.com/contact-us/