CloudCharge cloudcharge.se

Plan PatchCVSS 9.4ICS-CERT ICSA-26-057-03Feb 26, 2026

Transportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple authentication and session management vulnerabilities in CloudCharge charging station platform affect all versions. Vulnerabilities allow attackers to impersonate charging stations (CWE-306), bypass authentication controls (CWE-307, CWE-613), and intercept session data (CWE-522). Successful exploitation enables session hijacking, charging station impersonation, traffic suppression causing denial of service, and manipulation of charging data sent to backend systems. The vendor has not responded to coordination requests and has indicated no fix is planned.

What this means

What could happen

An attacker could impersonate charging stations, hijack user sessions, or manipulate charging data sent to the backend system. Attackers could also suppress legitimate traffic to cause charging station outages across a network.

Who's at risk

Organizations operating CloudCharge electric vehicle charging station networks, particularly those in transportation and fleet charging sectors. This affects the charging infrastructure itself and backend charging management systems that process payment and session data.

How it could be exploited

An attacker on the network can exploit missing authentication controls and weak session management to intercept or spoof communications between charging stations and the CloudCharge backend. The attacker could forge charging station identities, hijack active sessions, or inject malicious commands without authentication to manipulate charging operations or cause denial of service.

Prerequisites

Network access to CloudCharge communication channels (HTTP/HTTPS)
No valid credentials required for initial exploitation
Access to network segment where charging station traffic is visible

remotely exploitableno authentication requiredlow complexityno patch availablecritical CVSS score (9.4)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

cloudcharge.se: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGContact CloudCharge support immediately to request security advisories and any available patches or workarounds

HARDENINGImplement network segmentation to isolate CloudCharge charging infrastructure from general IT networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGDeploy network monitoring and intrusion detection on charging station communications to detect spoofing or session hijacking attempts

WORKAROUNDImplement API gateway or proxy controls to validate and authenticate all charging station communication

WORKAROUNDRestrict network access to CloudCharge backend systems to known charging station IP addresses and subnets only

CVEs (4)

CVE-2026-20781 CVE-2026-25114 CVE-2026-27652 CVE-2026-20733

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8af193b5-abe0-4a4e-82ae-c0c5bea18b8a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.