Platform
other
Component
csaf
CVE-2026-24731 describes a critical vulnerability in ev2go.io, allowing attackers to impersonate charging stations and manipulate data. This stems from a lack of authentication on WebSocket endpoints, enabling unauthorized OCPP command execution. All versions of ev2go.io are affected, and a fix is pending.
The vulnerability allows an attacker to connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier without authentication. Subsequently, they can issue or receive OCPP commands as if they were a legitimate charger. This represents a significant privilege escalation risk, potentially granting attackers complete control over charging infrastructure. The attacker could manipulate charging sessions, alter reported data, and disrupt the charging network, leading to financial losses, reputational damage, and potentially even safety hazards. The lack of authentication makes exploitation relatively straightforward, increasing the potential for widespread abuse.
This vulnerability is considered high probability due to the ease of exploitation and the critical nature of the affected infrastructure. Public proof-of-concept code is not yet available, but the simplicity of the attack vector suggests it is likely to emerge. The vulnerability was publicly disclosed on 2026-02-26. It is not currently listed on CISA KEV.
Organizations deploying ev2go.io charging infrastructure, particularly those with publicly accessible charging stations or those relying on accurate charging network data, are at significant risk. Shared hosting environments where multiple charging stations share a single ev2go.io instance are also particularly vulnerable.
• other / charging infrastructure:
# Monitor for connections to OCPP WebSocket port (9000)
ss -t ln -p 9000 | grep ev2go.io• other / charging infrastructure:
# Check for unusual OCPP commands in logs (if logging is enabled)
grep -i "charge request|disconnect" /var/log/ev2go.io/*• other / charging infrastructure:
# Monitor for connections from unexpected IP addresses
journalctl -u ev2go.io | grep "Connection from" | sort -udisclosure
Exploit Status
EPSS
0.13% (32% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade to a patched version of ev2go.io once available. Until then, implement temporary workarounds to limit the impact. A Web Application Firewall (WAF) or proxy server can be configured to restrict access to the OCPP WebSocket endpoint, requiring authentication or limiting access based on IP address or other criteria. Carefully review and restrict access to the OCPP WebSocket endpoint. Implement strict input validation on all OCPP commands received to prevent malicious payloads. Monitor network traffic for suspicious OCPP command patterns.
Implementeer robuuste authenticatiemechanismen voor de WebSocket endpoints. Valideer en autoriseer alle OCPP-verzoeken voordat ze worden verwerkt. Overweeg het gebruik van digitale certificaten of authenticatietokens om de identiteit van laadstations te verifiëren.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-24731 is a CRITICAL vulnerability affecting all ev2go.io versions. It allows unauthenticated attackers to impersonate charging stations and manipulate data due to a lack of authentication on WebSocket endpoints.
Yes, all versions of ev2go.io are currently affected by this vulnerability. Assess your deployments and implement mitigations immediately.
Upgrade to a patched version of ev2go.io as soon as it becomes available. Until then, implement WAF rules to restrict access to the OCPP WebSocket endpoint.
While no active exploitation has been confirmed, the ease of exploitation suggests it is a high-probability target. Monitor your systems closely.
Refer to the official ev2go.io security advisory for detailed information and updates regarding this vulnerability. Check their website and security mailing lists.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.