ePower epower.ie

Plan PatchCVSS 9.4ICS-CERT ICSA-26-062-07Mar 3, 2026

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ePower epower.ie charging station software contains multiple authentication and cryptographic vulnerabilities (CWE-306, CWE-307, CWE-522, CWE-613) that allow unauthenticated attackers to gain administrative control over charging stations. Successful exploitation could enable unauthorized access to station management functions, allowing attackers to modify charging parameters, disable charging services, or cause denial-of-service disruptions. All versions of epower.ie are affected. The vendor has not responded to CISA coordination requests and has not planned to release patches.

What this means

What could happen

An attacker could gain administrative control of electric vehicle charging stations, allowing them to alter charging parameters, disable charging services, or cause denial-of-service attacks that prevent customers from charging vehicles.

Who's at risk

Electric utilities and energy providers operating epower.ie charging infrastructure, particularly municipal or regional charging networks. Charging station operators managing public or private EV charging networks are directly affected.

How it could be exploited

An attacker on the network can exploit weak authentication mechanisms (CWE-306, CWE-307) and insufficient cryptographic protection (CWE-522) to bypass login controls and gain administrative access to the charging station management interface without valid credentials or legitimate authorization.

Prerequisites

Network access to the epower.ie charging station management interface
No valid credentials required

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical energy infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

epower.ie: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDContact ePower support immediately at https://www.epower.ie/support/ to inquire about security patches or workarounds since no fix is currently planned

HARDENINGRestrict network access to charging station management interfaces using firewall rules; allow only trusted administrative networks and block public internet access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network monitoring and alerting on charging station management ports to detect unauthorized access attempts

Mitigations - no patch available

0/1

epower.ie: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment charging station networks from critical operational technology systems using network isolation or air-gapping where possible

CVEs (4)

CVE-2026-22552 CVE-2026-27778 CVE-2026-24912 CVE-2026-27770

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/46db74cb-26e3-42c6-bb81-671343af3119

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.