CloudCharge cloudcharge.se

Act Now9.4ICS-CERT ICSA-26-057-03Feb 26, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CloudCharge cloudcharge.se contains multiple authentication and data integrity vulnerabilities (CWE-306, CWE-307, CWE-613, CWE-522) affecting all versions. Successful exploitation could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic causing large-scale denial of service, and manipulate data sent to the backend system. The vendor has not responded to CISA's request for coordination and has not released patches.

What this means

What could happen

An attacker could impersonate legitimate charging stations, hijack user sessions, or manipulate data to the backend system, potentially causing large-scale denial of service to electric vehicle charging networks and disrupting transportation electrification infrastructure.

Who's at risk

Public electric vehicle charging networks and transportation operators deploying CloudCharge cloudcharge.se platform for charging station management and billing. This affects any utility or municipality managing distributed EV charging infrastructure, as compromised stations could disrupt service availability and manipulate transaction data.

How it could be exploited

An attacker on the network could exploit weak or missing authentication controls (CWE-306, CWE-307) and insecure credential storage (CWE-522) to impersonate charging stations or hijack operator sessions. By manipulating session tokens or authentication data, the attacker could suppress or misroute traffic to backend systems, disrupting charging service availability and data integrity.

Prerequisites

Network access to CloudCharge cloudcharge.se platform
Knowledge of session handling or API endpoints
No valid credentials required for initial exploitation

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical transportation infrastructure

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

cloudcharge.se: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGContact CloudCharge support at https://cloudcharge.tech/support/contact/ to request security updates and guidance, as the vendor has not responded to CISA coordination

HARDENINGDeploy network monitoring and logging on all CloudCharge API and backend connections to detect anomalous session activity or data manipulation

WORKAROUNDImplement rate limiting and traffic filtering at your network boundary to reduce the impact of potential denial of service attacks from compromised charging stations

Mitigations - no patch available

0/1

cloudcharge.se: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate CloudCharge charging station management traffic from other critical plant networks

CVEs (4)

CVE-2026-20781 CVE-2026-25114 CVE-2026-27652 CVE-2026-20733

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8af193b5-abe0-4a4e-82ae-c0c5bea18b8a