Everon OCPP Backends

Act Now9.4ICS-CERT ICSA-26-062-08Mar 3, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Everon OCPP backend platform contains multiple critical authentication and session management vulnerabilities (CWE-306, CWE-307, CWE-613, CWE-522) that could allow unauthorized administrative access to charging station networks. Successful exploitation enables attackers to gain control over charging operations or disrupt service availability. Everon shut down their platform on December 1st, 2025, meaning no patches will be released and all affected deployments are permanently unsupported.

What this means

What could happen

An attacker could gain unauthorized administrative control over EV charging stations, allowing them to alter charging behavior, lock out legitimate users, or disrupt charging services. Since the Everon platform has been shut down, affected charging infrastructure is now unsupported.

Who's at risk

Electric utilities and transportation/fleet operators managing EV charging networks that rely on Everon OCPP backend infrastructure. This includes municipal charging stations, commercial fleet charging depots, and utility-operated charging networks. The shutdown of the Everon platform means no future security updates will be available for any deployments.

How it could be exploited

An attacker on the network could exploit authentication and session management weaknesses (CWE-306, CWE-307) to bypass login controls and gain admin access to the OCPP backend API. Alternatively, they could exploit insecure direct object references (CWE-613) or credential exposure (CWE-522) to access or modify charging station configurations and operations remotely.

Prerequisites

Network access to api.everon.io or its cloud infrastructure
No authentication bypass required due to CWE-306/307 weaknesses
Charging stations must be configured to communicate with the vulnerable Everon backend service

Remotely exploitableNo authentication required (CWE-306/307)No patch available (platform shut down)Affects critical energy infrastructurePlatform end-of-life (no vendor support)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

api.everon.io: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXMigrate charging stations away from Everon OCPP backend to an alternative, supported OCPP management platform (vendor security updates must be verified)

HARDENINGNetwork-segment charging station management traffic; block direct Internet access from charging stations to cloud backends; route through VPN or secure gateway if remote management is required

WORKAROUNDImplement firewall rules to restrict charging station API communication to known, trusted management networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable remote management features on charging stations if not actively required for operations

Mitigations - no patch available

0/1

api.everon.io: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network monitoring and alerting for unauthorized access attempts to charging infrastructure

CVEs (4)

CVE-2026-26288 CVE-2026-24696 CVE-2026-20748 CVE-2026-27027

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b7b1e534-0485-4601-8441-b339c76542fe