EV Energy ev.energy

Plan PatchCVSS 9.4ICS-CERT ICSA-26-057-07Feb 26, 2026

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

EV Energy charging stations contain multiple authentication and credential handling vulnerabilities (CWE-306, CWE-307, CWE-522, CWE-613) that affect all versions. Successful exploitation enables attackers to gain unauthorized administrative control over charging stations and disrupt charging services through denial-of-service attacks. The vendor did not respond to CISA coordination requests and has indicated no patch is planned.

What this means

What could happen

An attacker could gain unauthorized administrative control of EV charging stations, allowing them to disrupt charging services, modify charging behavior, or cause denial-of-service attacks that prevent legitimate users from charging vehicles.

Who's at risk

This affects electric vehicle charging station operators and energy utilities deploying ev.energy charging infrastructure. Particularly critical for municipal utilities and commercial charging networks where service disruption impacts public access to EV charging services.

How it could be exploited

An attacker with network access to the charging station can exploit authentication and credential handling vulnerabilities to gain admin-level control without valid credentials. The attack requires only network access and no user interaction, making it remotely exploitable.

Prerequisites

Network access to the EV charging station (port 80, 443, or other management interface)
No valid credentials required

remotely exploitableno authentication requiredlow complexityno patch availableaffects energy infrastructure and public services

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

ev.energy: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate affected EV charging stations from untrusted networks using network segmentation or firewall rules

HARDENINGRestrict network access to EV charging station management interfaces to authorized administrative systems only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor EV charging station logs and traffic for suspicious administrative login attempts or unusual command execution

WORKAROUNDContact EV Energy directly at https://www.ev.energy/en-us to inquire about security patches or firmware updates

CVEs (4)

CVE-2026-27772 CVE-2026-24445 CVE-2026-26290 CVE-2026-25774

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aee588df-0893-4eab-ada5-6e25e103648c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.