EV2GO ev2go.io

Act Now9.4ICS-CERT ICSA-26-057-04Feb 26, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical authentication and data protection vulnerabilities in EV2GO charging platform allow attackers to impersonate charging stations, hijack user sessions, suppress or misroute traffic causing large-scale denial of service, and manipulate backend data. All versions of ev2go.io are affected. The vendor has not responded to CISA coordination requests and no fix is currently available.

What this means

What could happen

An attacker could impersonate legitimate EV charging stations, hijack user sessions, or redirect traffic to cause widespread charging service outages. Attackers could also modify data sent to backend systems, potentially affecting billing, usage tracking, and fleet management systems that rely on EV2GO data.

Who's at risk

Transit agencies, municipal fleets, and private fleet operators that use EV2GO for managing electric vehicle charging and billing. This affects any organization relying on the EV2GO platform for charging station operations, session management, or vehicle charge data integration with backend fleet systems.

How it could be exploited

An attacker on the network could exploit authentication and data protection flaws in the EV2GO platform to impersonate a charging station without valid credentials, intercept and hijack active user sessions, or inject malicious data into the backend system. This could be done by crafting requests to the EV2GO API or mobile app infrastructure to bypass session validation or station authentication checks.

Prerequisites

Network access to EV2GO cloud infrastructure or API endpoints
No valid credentials required

remotely exploitableno authentication requiredlow complexityno patch availablehigh CVSS score (9.4)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

ev2go.io: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDContact EV2GO immediately for security guidance and timeline for patches. Do not wait for automatic updates.

HARDENINGReview access logs for any signs of session hijacking, charging station spoofing, or unexpected data modifications in your EV2GO account

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network-level monitoring and filtering to detect unusual EV2GO API traffic or charging station communication patterns

WORKAROUNDIf your fleet or charging operations depend on EV2GO, consider activating backup charging networks or manual session validation processes until vendor fix is available

CVEs (4)

CVE-2026-24731 CVE-2026-25945 CVE-2026-20895 CVE-2026-22890

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b8681637-3b02-4161-b105-50cd4a3a7f3c