プラットフォーム
nodejs
コンポーネント
mobility46
CVE-2026-27028 affects the Mobility46 OCPP WebSocket Service, versions 1.0.0 and earlier. This vulnerability allows unauthenticated attackers to impersonate charging stations and manipulate OCPP commands, potentially leading to unauthorized control of charging infrastructure and data corruption. The vulnerability was published on 2026-02-27, and a patched version is required to remediate the issue.
The core of this vulnerability lies in the lack of authentication on the OCPP WebSocket endpoint. Attackers can connect using a known or discovered charging station identifier and issue commands as if they were a legitimate charger. This opens the door to a range of malicious activities. An attacker could manipulate charging sessions, alter reported energy consumption data, or even disable charging stations entirely. The potential for financial loss, reputational damage, and disruption of charging services is substantial. This vulnerability shares similarities with other authentication bypass flaws where lack of proper access controls allows for unauthorized actions, potentially impacting the entire charging network.
CVE-2026-27028 is currently not listed on the CISA KEV catalog. The EPSS score is likely to be assessed as medium to high probability due to the ease of exploitation (no authentication required) and the potential impact on critical infrastructure. Public proof-of-concept exploits are not yet publicly available, but the vulnerability's simplicity suggests they are likely to emerge. The vulnerability was publicly disclosed on 2026-02-27.
Organizations deploying Mobility46 OCPP WebSocket Service in charging infrastructure are at risk. This includes electric vehicle charging station operators, energy providers, and businesses with private charging networks. Shared hosting environments where multiple organizations share the same server infrastructure are particularly vulnerable, as a compromise of one tenant could potentially impact others.
• nodejs / server:
lsof -i :9000 # Check for connections to the OCPP WebSocket port (adjust port as needed)
netstat -an | grep :9000 # Alternative to lsof• generic web:
curl -I https://<your_ocpp_server>/ocpp/v1.6/ws # Check for WebSocket endpoint exposure
grep -r "ocpp/v1.6/ws" /var/log/nginx/access.log # Look for requests to the WebSocket endpoint in access logsdisclosure
エクスプロイト状況
EPSS
0.13% (32% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-27028 is to upgrade to a patched version of the Mobility46 OCPP WebSocket Service as soon as it becomes available. Until a patch is available, consider implementing temporary workarounds. These might include restricting access to the WebSocket endpoint to trusted networks or implementing a reverse proxy with authentication. Carefully review and restrict access to the OCPP WebSocket endpoint, limiting it to known and trusted charging stations. Monitor WebSocket traffic for suspicious activity, such as unexpected commands or connections from unknown sources. After upgrading, confirm the fix by attempting to connect to the WebSocket endpoint without authentication and verifying that access is denied.
Mobility46 が提供する最新バージョンにアップデートしてください。 WebSocket エンドポイントに堅牢な認証メカニズムを実装して、不正アクセスとデータ操作を防止してください。 充電インフラストラクチャのセキュリティを見直し、強化して、不正な制御のリスクを軽減してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-27028 is a CRITICAL vulnerability in Mobility46 OCPP WebSocket Service versions 1.0.0 and earlier. It allows unauthenticated attackers to impersonate charging stations and manipulate data, potentially gaining unauthorized control of charging infrastructure.
If you are using Mobility46 OCPP WebSocket Service version 1.0.0 or earlier, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the Mobility46 OCPP WebSocket Service. Until a patch is available, implement temporary workarounds like restricting access to the WebSocket endpoint.
While there are no confirmed reports of active exploitation at this time, the ease of exploitation suggests it is likely to be targeted. Monitor your systems closely.
Refer to the Mobility46 official website and security advisories for the latest information and updates regarding CVE-2026-27028.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。