OTPulse

EVoke Systems Charging Station Management System

Plan PatchCVSS 9.4ICS-CERT ICSA-26-176-02Jun 25, 2026
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The EVoke CSMS supports OCPP (Open Charge Point Protocol) Security Profiles 0–3, but many legacy chargers deployed in networks only support the weaker Security Profiles 0 and 1, which lack encryption and strong authentication. This allows attackers to spoof charger identities, establish unauthorized sessions, or issue malicious commands to the charging infrastructure. The vulnerability arises because the CSMS must interoperate with older EVSE (Electric Vehicle Supply Equipment) hardware from manufacturers like EVBox that no longer issue firmware updates. EVoke is implementing server-side mitigations including charger allow-listing, single-session-per-ID enforcement, and duplicate connection rejection. However, legacy chargers cannot be upgraded to stronger security profiles and remain at risk.

What this means
What could happen
An attacker with network access to the EVoke CSMS could gain unauthorized administrative control over charging stations, allowing them to disrupt EV charging services or tamper with billing and access controls. This could prevent electric vehicle fleet charging operations at critical facilities.
Who's at risk
EV charging station operators and fleet owners using EVoke Charging Station Management System, particularly those managing legacy chargers (EVBox and similar older models). Any organization providing public or private EV charging infrastructure with networked chargers is affected.
How it could be exploited
An attacker on the network can exploit weak or missing authentication in OCPP (Open Charge Point Protocol) connections to spoof charger identities or impersonate the management system. They could inject malicious commands to disable chargers, alter billing records, or grant unauthorized access to charging infrastructure.
Prerequisites
  • Network access to the EVoke CSMS server and its communication ports
  • Knowledge of valid charger identifiers or ability to intercept OCPP traffic
  • Target charger running legacy Security Profile 0 or 1 (older EVBox and similar devices)
Remotely exploitableNo authentication required for legacy chargersLow complexity attackAffects critical infrastructure (energy/transportation)Legacy devices may never be patched
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (1)
ProductAffected VersionsFix Status
EVoke CSMSAll versionsFix available
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDImplement network firewall rules to restrict OCPP communication to known, registered charger IP addresses and MAC addresses only
HARDENINGEnable and monitor single-session enforcement in the EVoke CSMS to reject duplicate connections from the same charger ID
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EVoke CSMS and all connected chargers to the latest firmware that supports OCPP Security Profile 2 (TLS with basic authentication) or Profile 3 (mutual TLS with certificates)
HARDENINGEstablish a charger inventory audit and enforce allow-listing in the CSMS database; remove or mark any unrecognized charger IDs
Long-term hardening
0/2
HARDENINGFor legacy chargers that cannot be upgraded, isolate them on a separate network segment with restricted access to the CSMS, and implement network monitoring for unusual charger connection patterns
HARDENINGPlan replacement of unsupported legacy chargers (e.g., discontinued EVBox models) with modern models that support OCPP Security Profile 2 or 3
View full CISA ICS-CERT advisory
API: /api/v1/advisories/b956ba0a-acd8-4f40-a351-948668aac9e9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

EVoke Systems Charging Station Management System | CVSS 9.4 - OTPulse