Everon OCPP Backends

Plan PatchCVSS 9.4ICS-CERT ICSA-26-062-08Mar 3, 2026

EnergyTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Everon OCPP backend (api.everon.io) contains multiple authentication and session management vulnerabilities (CWE-306: Missing Authentication, CWE-307: Improper Restriction of Rendered UI Layers, CWE-613: Insufficient Session Expiration, CWE-522: Insufficiently Protected Credentials). Successful exploitation could allow attackers to gain unauthorized administrative control over charging stations, disrupt charging services via denial-of-service, or manipulate charging sessions. Everon has shut down the platform as of December 1, 2025, and no fixes will be provided.

What this means

What could happen

An attacker could gain unauthorized administrative access to Everon OCPP charging station backends, allowing them to disrupt EV charging services, lock out operators, or manipulate charging sessions. Since the platform is shut down as of December 1, 2025, the primary risk is now legacy or offline systems that depend on Everon backend connectivity.

Who's at risk

Electric utilities, municipal governments, commercial charging networks, and transportation fleet operators managing EV charging infrastructure that relies on Everon OCPP backend services. This includes all Level 2 and DC fast-charging stations that were provisioned through Everon's cloud management platform.

How it could be exploited

An attacker with network access to the internet could exploit authentication and authorization weaknesses (CWE-306, CWE-307) to gain administrative credentials or bypass access controls to the api.everon.io backend. Once authenticated, the attacker could manipulate OCPP (Open Charge Point Protocol) commands sent to charging stations, disabling stations or forcing them offline. No special tools or user interaction required.

Prerequisites

Network access to api.everon.io over the internet
No authentication or weak/default credentials accepted by the API
Charging station infrastructure still configured to connect to Everon backend

remotely exploitableno authentication requiredlow complexityno patch availableplatform end-of-life

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

api.everon.io: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HOTFIXMigrate all charging stations from Everon OCPP backend to an alternative supported OCPP backend provider

HARDENINGEnsure charging stations are not accessible from the internet; place them behind firewalls and restrict outbound connectivity to only approved OCPP backend servers

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf continued operation of Everon-dependent stations is necessary during migration, implement network segmentation to isolate them from critical infrastructure and business networks

HARDENINGAudit and reconfigure any charging stations still attempting to connect to api.everon.io; verify they have migrated to a supported backend or are powered down

CVEs (4)

CVE-2026-26288 CVE-2026-24696 CVE-2026-20748 CVE-2026-27027

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b7b1e534-0485-4601-8441-b339c76542fe

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.