Hydro-Québec Le Circuit Electrique charging station backend
View CSAF Summary Successful exploitation of these vulnerabilities could lead to privilege escalation, or result in a denial-of-service attack. The following versions of Hydro-Québec Le Circuit Electrique charging station backend are affected: Le Circuit Electrique charging station backend CVSS Vendor Equipment Vulnerabilities v3 9.8 Hydro-Québec Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration Background Critical Infrastructure Sectors: Transportation Systems Countries/Areas Deployed: Canada Company Headquarters Location: Canada Vulnerabilities Expand All + CVE-2026-20744 The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation. View CVE Details Affected Products Hydro-Québec Le Circuit Electrique charging station backend Vendor: Hydro-Québec Product Version: Hydro-Québec Le Circuit Electrique charging station backend: <June_2026 Product Status: known_affected Remediations Mitigation Hydro-Québec has updated the majority of charging stations to disable OCPP, mitigating the risk of exploitation. Hydro-Québec has also implemented authentication systems to mitigate the issue for certain charging stations which are still reliant on OCPP. Contact Hydro-Québec with any additional questions. Relevant CWE: CWE-284 Improper Access Control Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 4.0 9.3 CRITICAL CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-42952 Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a Denial-of-Service attack. View CVE Details Affected Products Hydro-Québec Le Circuit Electrique charging station backend Vendor: Hydro-Québec Product Version: Hydro-Québec Le Circui
CSIRTS triage
- What
- Vulnerabilities could lead to privilege escalation or denial-of-service attacks.
- Who is affected
- Deployments of the Le Circuit Electrique charging station backend in Canada.
- Urgency
- Remediation is critical due to the high CVSS score and potential for severe impact.
- Action
- Implement the recommended security measures to secure the websocket endpoint.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Le Circuit Electrique charging station backend
Get an email when a new Le Circuit Electrique charging station backend advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-20744 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-42952 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-44383 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- highCVE-2026-44383: Multiple connections to the backend using the same charging station ID are allowed, which coul…nvd
- highCVE-2026-42952: Previously, there was no throttling on repeated authentication attempts to the charging statio…nvd
- criticalCVE-2026-20744: The charging station websocket endpoint accepts connections without proper authentication, whi…nvd
More from CISA Cybersecurity Advisories
- highCISA Adds Two Known Exploited Vulnerabilities to Catalog2026-07-10
- criticalSchneider Electric PowerChute Serial Shutdown2026-07-09
- criticalOpenPLC v32026-07-09
- criticalSchneider Electric Easergy MiCOM Px40 Series2026-07-09
- highCISA Adds One Known Exploited Vulnerability to Catalog2026-07-07