EV2GO ev2go.io

Plan PatchCVSS 9.4ICS-CERT ICSA-26-057-04Feb 26, 2026

Transportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

EV2GO ev2go.io contains multiple authentication and data validation vulnerabilities (CWE-306, CWE-307, CWE-613, CWE-522) that allow attackers to impersonate charging stations, hijack user sessions, suppress or misroute traffic causing denial of service, and manipulate backend data. All versions are affected. EV2GO did not respond to CISA coordination requests and has indicated no fix is planned.

What this means

What could happen

An attacker could impersonate charging stations, hijack user sessions, or manipulate charging data sent to EV2GO's backend system, disrupting electric vehicle charging operations and potentially causing widespread denial of service across the charging network.

Who's at risk

Electric vehicle charging network operators, municipal transit authorities, and fleet operators using EV2GO charging infrastructure are affected. This includes both the charging stations themselves and the backend systems that process charging transactions and manage station operations.

How it could be exploited

An attacker on the network could exploit missing or weak authentication mechanisms to impersonate legitimate charging stations or intercept session tokens. By doing so, they could redirect traffic away from real charging stations, falsify charging records, or block legitimate charging requests from reaching the backend system.

Prerequisites

Network access to EV2GO communication channels or the charging station network
No authentication credentials required for certain operations

remotely exploitableno authentication requiredlow complexityno patch availablecritical CVSS score (9.4)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

ev2go.io: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDContact EV2GO support immediately to determine available compensating controls or interim mitigations

HARDENINGImplement strict firewall rules to allow only authorized charging stations to communicate with your EV2GO backend services

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGDeploy network monitoring to detect suspicious charging station behavior or unusual backend traffic patterns

Mitigations - no patch available

0/1

ev2go.io: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate EV2GO charging station communication from other corporate networks

CVEs (4)

CVE-2026-24731 CVE-2026-25945 CVE-2026-20895 CVE-2026-22890

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b8681637-3b02-4161-b105-50cd4a3a7f3c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.