CVE-2026-27767
Published: 27 February 2026
Summary
CVE-2026-27767 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Swtchenergy Swtchenergy.Com. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires unique identification and authentication of charging station devices before establishing WebSocket connections, directly preventing unauthorized station impersonation.
Limits permitted actions without identification or authentication to exclude critical OCPP WebSocket functions, mitigating unauthenticated access and data manipulation.
Enforces approved access control policies at WebSocket endpoints to require authentication for all station commands and data exchanges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in public-facing OCPP WebSocket endpoints lacking authentication directly enables exploitation for initial access via public-facing application (T1190) and privilege escalation through unauthorized station impersonation and control (T1068).
NVD Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…
more
or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Deeper analysisAI
CVE-2026-27767 is a critical vulnerability in OCPP WebSocket endpoints used in charging infrastructure, where the endpoints lack proper authentication mechanisms. This flaw, published on 2026-02-27, enables attackers to perform unauthorized station impersonation and manipulate data sent to the backend. It is associated with CWE-306 (Missing Authentication for Critical Function) and carries a CVSS score of 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).
An unauthenticated attacker can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issuing or receiving OCPP commands as a legitimate charger. Successful exploitation allows privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
CISA's ICS Advisory ICSA-26-057-06 details mitigation recommendations, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06, with the corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-06.json. Vendor contact for further assistance is provided at https://swtchenergy.com/contact/.
Details
- CWE(s)