Plataforma
nodejs
Componente
mobility46
CVE-2026-27028 affects the Mobility46 OCPP WebSocket Service, versions 1.0.0 and earlier. This vulnerability allows unauthenticated attackers to impersonate charging stations and manipulate OCPP commands, potentially leading to unauthorized control of charging infrastructure and data corruption. The vulnerability was published on 2026-02-27, and a patched version is required to remediate the issue.
The core of this vulnerability lies in the lack of authentication on the OCPP WebSocket endpoint. Attackers can connect using a known or discovered charging station identifier and issue commands as if they were a legitimate charger. This opens the door to a range of malicious activities. An attacker could manipulate charging sessions, alter reported energy consumption data, or even disable charging stations entirely. The potential for financial loss, reputational damage, and disruption of charging services is substantial. This vulnerability shares similarities with other authentication bypass flaws where lack of proper access controls allows for unauthorized actions, potentially impacting the entire charging network.
CVE-2026-27028 is currently not listed on the CISA KEV catalog. The EPSS score is likely to be assessed as medium to high probability due to the ease of exploitation (no authentication required) and the potential impact on critical infrastructure. Public proof-of-concept exploits are not yet publicly available, but the vulnerability's simplicity suggests they are likely to emerge. The vulnerability was publicly disclosed on 2026-02-27.
Organizations deploying Mobility46 OCPP WebSocket Service in charging infrastructure are at risk. This includes electric vehicle charging station operators, energy providers, and businesses with private charging networks. Shared hosting environments where multiple organizations share the same server infrastructure are particularly vulnerable, as a compromise of one tenant could potentially impact others.
• nodejs / server:
lsof -i :9000 # Check for connections to the OCPP WebSocket port (adjust port as needed)
netstat -an | grep :9000 # Alternative to lsof• generic web:
curl -I https://<your_ocpp_server>/ocpp/v1.6/ws # Check for WebSocket endpoint exposure
grep -r "ocpp/v1.6/ws" /var/log/nginx/access.log # Look for requests to the WebSocket endpoint in access logsdisclosure
Status do Exploit
EPSS
0.13% (percentil 32%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-27028 is to upgrade to a patched version of the Mobility46 OCPP WebSocket Service as soon as it becomes available. Until a patch is available, consider implementing temporary workarounds. These might include restricting access to the WebSocket endpoint to trusted networks or implementing a reverse proxy with authentication. Carefully review and restrict access to the OCPP WebSocket endpoint, limiting it to known and trusted charging stations. Monitor WebSocket traffic for suspicious activity, such as unexpected commands or connections from unknown sources. After upgrading, confirm the fix by attempting to connect to the WebSocket endpoint without authentication and verifying that access is denied.
Atualize para a última versão disponível fornecida pela Mobility46. Implemente mecanismos de autenticação robustos nos endpoints WebSocket para prevenir o acesso não autorizado e a manipulação de dados. Revise e fortaleça a segurança da infraestrutura de carga para mitigar o risco de controle não autorizado.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-27028 is a CRITICAL vulnerability in Mobility46 OCPP WebSocket Service versions 1.0.0 and earlier. It allows unauthenticated attackers to impersonate charging stations and manipulate data, potentially gaining unauthorized control of charging infrastructure.
If you are using Mobility46 OCPP WebSocket Service version 1.0.0 or earlier, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the Mobility46 OCPP WebSocket Service. Until a patch is available, implement temporary workarounds like restricting access to the WebSocket endpoint.
While there are no confirmed reports of active exploitation at this time, the ease of exploitation suggests it is likely to be targeted. Monitor your systems closely.
Refer to the Mobility46 official website and security advisories for the latest information and updates regarding CVE-2026-27028.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.