ePower epower.ie

Act Now9.4ICS-CERT ICSA-26-062-07Mar 3, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in epower.ie charging station software allow attackers to bypass authentication (CWE-306, CWE-307) and gain unauthorized administrative control. The application has insufficient protection for sensitive data (CWE-522, CWE-613). Affected versions: all versions. ePower did not provide patches or coordinate with CISA; the vendor has not announced a fix timeline.

What this means

What could happen

An attacker could gain full administrative control over EV charging stations, allowing them to modify charging configurations, steal authorization data, or disable charging services entirely, disrupting electric vehicle charging infrastructure.

Who's at risk

Electric utility companies and municipalities operating EV charging infrastructure should care. This affects public and private EV charging stations using the epower.ie platform, including Level 2 chargers, DC fast chargers, and charging networks that manage multiple stations.

How it could be exploited

An attacker on the network (or the internet if the charging station is exposed) could send specially crafted requests to the epower.ie application without authentication to bypass security checks (CWE-306) and gain administrative access. Once authenticated, they could execute arbitrary operations that alter charging behavior or deny service to legitimate users.

Prerequisites

Network access to the epower.ie application (port and protocol depend on deployment)
No credentials required for initial exploitation
Charging station exposed to the network or internet

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical infrastructure (energy/charging)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

epower.ie: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXContact ePower immediately through https://www.epower.ie/support/ to request security patches or a timeline for fixes

WORKAROUNDIsolate epower.ie charging stations from direct internet access using a firewall; only allow traffic from trusted management systems and customer applications

HARDENINGDisable any unnecessary epower.ie administrative interfaces if the vendor offers configuration options to restrict access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation so charging stations are on a separate VLAN with restricted routing to and from corporate networks and the internet

HARDENINGMonitor access logs and charging station behavior for signs of unauthorized administrative activity

CVEs (4)

CVE-2026-22552 CVE-2026-27778 CVE-2026-24912 CVE-2026-27770

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/46db74cb-26e3-42c6-bb81-671343af3119