EV Energy ev.energy 重要な機能における認証の欠如

The primary impact of CVE-2026-27772 is the potential for unauthorized control of charging stations. An attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier and issue commands as if they were a legitimate charger. This could involve manipulating charging rates, disconnecting vehicles prematurely, or even preventing legitimate users from accessing charging services. Furthermore, the ability to receive OCPP commands allows attackers to intercept and potentially alter data transmitted between the charging station and the backend system, leading to inaccurate billing, reporting, and potentially even the injection of malicious code. The blast radius extends to the entire charging network, as a compromised station can impact the integrity of the entire system’s data.

Organizations deploying ev.energy charging infrastructure are at risk, particularly those with publicly accessible charging stations or those lacking robust network segmentation. Shared hosting environments where multiple charging stations share a single IP address are also at increased risk, as a compromise of one station could potentially expose others. Legacy deployments using older, unpatched versions of ev.energy are especially vulnerable.

• linux / server: Monitor OCPP WebSocket traffic for connections originating from unexpected IP addresses or lacking proper authentication headers. Use tcpdump or wireshark to capture and analyze WebSocket payloads for suspicious commands.

tcpdump -i any port 9000 -w capture.pcap

• generic web: Check for exposed OCPP WebSocket endpoints by attempting to connect to ws://<chargingstationip>:9000/ without authentication. Analyze access logs for unusual connection patterns.

curl -v ws://<charging_station_ip>:9000/

1. 2026-02-27Disclosure

   disclosure

1. 予約済み2026-02-24
2. 公開日2026-02-27
3. 更新日2026-03-05
4. EPSS 更新日2026-03-23

The immediate mitigation is to upgrade to a patched version of ev.energy as soon as it becomes available. Until then, implement strict Web Application Firewall (WAF) rules to filter unauthorized OCPP commands and restrict access to the WebSocket endpoint. Consider implementing OCPP protocol validation to ensure commands adhere to expected formats and parameters. Network segmentation can also limit the potential impact of a compromised station. Monitor WebSocket traffic for unusual activity, such as commands originating from unexpected sources or exhibiting anomalous patterns. After implementing mitigations, verify their effectiveness by attempting to connect to the WebSocket endpoint without proper authentication and confirming that access is denied.