CVE-2026-27772
Published: 27 February 2026
Summary
CVE-2026-27772 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Ev.Energy Ev.Energy. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-27772 is a critical vulnerability in OCPP WebSocket endpoints that lack proper authentication mechanisms, allowing attackers to perform unauthorized station impersonation and manipulate data sent to the backend. Published on 2026-02-27, it affects EV charging infrastructure software utilizing these endpoints, as detailed in CISA ICS Advisory ICSA-26-057-07 and associated with ev.energy. Mapped to CWE-306 (Missing Authentication for Critical Function), the issue enables unauthenticated connections where attackers use a known or discovered charging station identifier to issue or receive OCPP commands as a legitimate charger.
An unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of prerequisites (CVSS v3.1 base score of 9.4: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L). Successful exploitation allows privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend, potentially disrupting operations and compromising the integrity of EV charging systems.
Mitigation guidance is provided in CISA ICS Advisory ICSA-26-057-07 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07) and the corresponding CSAF document (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-07.json), with additional vendor information available at https://www.ev.energy/en-us.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8966
Vulnerability details
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…
more
or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability involves unauthenticated exploitation of public-facing WebSocket endpoints (T1190) enabling privilege escalation to unauthorized control and data manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires identification and authentication of charging station devices before establishing WebSocket connections, directly preventing unauthorized impersonation and command manipulation.
Enforces approved access authorizations for WebSocket endpoints, blocking unauthenticated access to OCPP functions and data manipulation.
Establishes authentication and usage restrictions for remote access methods like OCPP WebSocket, mitigating unauthenticated station connections.