CVE-2026-24731 describes a critical vulnerability in ev2go.io, allowing attackers to impersonate charging stations and manipulate data. This stems from a lack of authentication on WebSocket endpoints, enabling unauthorized OCPP command execution. All versions of ev2go.io are affected, and a fix is pending.
The vulnerability allows an attacker to connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier without authentication. Subsequently, they can issue or receive OCPP commands as if they were a legitimate charger. This represents a significant privilege escalation risk, potentially granting attackers complete control over charging infrastructure. The attacker could manipulate charging sessions, alter reported data, and disrupt the charging network, leading to financial losses, reputational damage, and potentially even safety hazards. The lack of authentication makes exploitation relatively straightforward, increasing the potential for widespread abuse.
This vulnerability is considered high probability due to the ease of exploitation and the critical nature of the affected infrastructure. Public proof-of-concept code is not yet available, but the simplicity of the attack vector suggests it is likely to emerge. The vulnerability was publicly disclosed on 2026-02-26. It is not currently listed on CISA KEV.
Organizations deploying ev2go.io charging infrastructure, particularly those with publicly accessible charging stations or those relying on accurate charging network data, are at significant risk. Shared hosting environments where multiple charging stations share a single ev2go.io instance are also particularly vulnerable.
• other / charging infrastructure:
# Monitor for connections to OCPP WebSocket port (9000)
ss -t ln -p 9000 | grep ev2go.io• other / charging infrastructure:
# Check for unusual OCPP commands in logs (if logging is enabled)
grep -i "charge request|disconnect" /var/log/ev2go.io/*• other / charging infrastructure:
# Monitor for connections from unexpected IP addresses
journalctl -u ev2go.io | grep "Connection from" | sort -udisclosure
漏洞利用状态
EPSS
0.13% (32% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade to a patched version of ev2go.io once available. Until then, implement temporary workarounds to limit the impact. A Web Application Firewall (WAF) or proxy server can be configured to restrict access to the OCPP WebSocket endpoint, requiring authentication or limiting access based on IP address or other criteria. Carefully review and restrict access to the OCPP WebSocket endpoint. Implement strict input validation on all OCPP commands received to prevent malicious payloads. Monitor network traffic for suspicious OCPP command patterns.
为 WebSocket 端点实施强大的身份验证机制。在处理请求之前验证和授权所有 OCPP 请求。考虑使用数字证书或身份验证令牌来验证充电站的身份。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-24731 is a CRITICAL vulnerability affecting all ev2go.io versions. It allows unauthenticated attackers to impersonate charging stations and manipulate data due to a lack of authentication on WebSocket endpoints.
Yes, all versions of ev2go.io are currently affected by this vulnerability. Assess your deployments and implement mitigations immediately.
Upgrade to a patched version of ev2go.io as soon as it becomes available. Until then, implement WAF rules to restrict access to the OCPP WebSocket endpoint.
While no active exploitation has been confirmed, the ease of exploitation suggests it is a high-probability target. Monitor your systems closely.
Refer to the official ev2go.io security advisory for detailed information and updates regarding this vulnerability. Check their website and security mailing lists.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。