EVoke Systems Charging Station Management System
View CSAF Summary Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks. The following versions of EVoke Systems Charging Station Management System are affected: EVoke CSMS vers:all/* CVSS Vendor Equipment Vulnerabilities v3 9.4 EVoke Systems EVoke Systems Charging Station Management System Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials Background Critical Infrastructure Sectors: Energy, Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-40702 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system. View CVE Details Affected Products EVoke Systems Charging Station Management System Vendor: EVoke Systems Product Version: EVoke Systems EVoke CSMS: vers:all/* Product Status: known_affected Remediations Vendor fix EVoke states that as a hardware-agnostic platform supporting multiple charger Original Equipment Manufacturers OEMs, EVoke must interoperate with EVSE devices that support different OCPP security profiles depending on the firmware capabilities of the charger. EVoke CSMS currently supports all OCPP security profiles (0–3). However, the effective security configuration for a charger connection is determined by the security profile implemented in the EVSE firmware. Some legacy chargers deployed in the network support only Security Profile 0 or 1. These chargers were install
CSIRTS triage
- What
- The vulnerabilities could enable attackers to gain unauthorized administrative control or disrupt charging services.
- Who is affected
- Deployments of EVoke Systems Charging Station Management System worldwide.
- Urgency
- Remediation is critical due to the high severity and potential for exploitation.
- Action
- Users should update to the latest version immediately.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Charging Station Management System
Get an email when a new Charging Station Management System advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-407020.38% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 30% of all scored CVEs.
- Low exploitation riskCVE-2026-501760.39% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 31% of all scored CVEs.
- Low exploitation riskCVE-2026-544790.25% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 16% of all scored CVEs.
- Low exploitation riskCVE-2026-446220.25% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 16% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-40702 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-50176 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54479 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-44622 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- highCVE-2026-54479: The WebSocket backend uses charging station identifiers to uniquely associate sessions but all…nvd
- highCVE-2026-50176: The WebSocket Application Programming Interface lacks restrictions on the number of authentica…nvd
- mediumCVE-2026-44622: Charging station authentication identifiers are publicly accessible via web-based mapping plat…nvd
- criticalCVE-2026-40702: WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate c…nvd
More from CISA Cybersecurity Advisories
- highCISA Adds Two Known Exploited Vulnerabilities to Catalog2026-07-10
- criticalSchneider Electric PowerChute Serial Shutdown2026-07-09
- criticalOpenPLC v32026-07-09
- criticalSchneider Electric Easergy MiCOM Px40 Series2026-07-09
- highCISA Adds One Known Exploited Vulnerability to Catalog2026-07-07