CVE-2026-24731 is a critical security vulnerability identified in the EV2GO ev2go.io platform, specifically affecting its WebSocket endpoints that facilitate OCPP (Open Charge Point Protocol) communication between charging stations and backend systems. The root cause is the absence of proper authentication mechanisms on these WebSocket endpoints, classified under CWE-306 (Missing Authentication for Critical Function). This flaw allows any unauthenticated attacker to connect to the OCPP WebSocket interface by using a known or discovered charging station identifier. Once connected, the attacker can impersonate the charging station, issuing commands or receiving data as if they were the legitimate device. This unauthorized access can lead to privilege escalation, enabling attackers to manipulate charging operations, disrupt service availability, and corrupt critical charging network data reported to backend systems. The vulnerability affects all versions of the ev2go.io platform, indicating a systemic issue rather than a version-specific flaw. The CVSS v3.1 base score of 9.4 reflects the vulnerability's critical nature, with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality and integrity, while availability impact is low. Although no exploits have been observed in the wild yet, the potential for misuse is substantial, especially given the increasing reliance on electric vehicle infrastructure. The lack of authentication on a critical communication channel exposes the charging network to unauthorized control and data manipulation risks, which could have cascading effects on operational reliability and trustworthiness of the charging ecosystem.

The impact of CVE-2026-24731 on organizations worldwide is significant due to the critical role of EV2GO's platform in managing electric vehicle charging infrastructure. Unauthorized access to charging stations can lead to several severe consequences: attackers may manipulate charging sessions, causing financial losses or denial of service to legitimate users; they can corrupt or falsify charging data, undermining billing accuracy and operational analytics; unauthorized control may allow attackers to disrupt the availability of charging services, affecting end-user experience and potentially causing broader grid management issues. Additionally, the integrity breach of backend data can erode trust in the charging network and complicate regulatory compliance. For operators managing large fleets or public charging networks, this vulnerability could facilitate large-scale attacks impacting multiple stations simultaneously. The criticality is heightened by the fact that exploitation requires no authentication or user interaction, making automated or remote attacks feasible. The potential for privilege escalation also raises concerns about lateral movement within the network, possibly exposing other connected systems. Overall, the vulnerability threatens confidentiality, integrity, and to a lesser extent availability of critical EV charging infrastructure, with implications for operational continuity, financial integrity, and user trust.

To mitigate CVE-2026-24731 effectively, organizations using EV2GO's ev2go.io platform should implement the following specific measures: 1) Immediately engage with EV2GO to obtain patches or updates that introduce robust authentication mechanisms on the OCPP WebSocket endpoints; 2) If patches are not yet available, restrict network access to the WebSocket endpoints using network segmentation and firewall rules to allow connections only from trusted charging stations and backend systems; 3) Implement strong identity verification for charging stations, such as mutual TLS authentication or token-based authentication, to prevent unauthorized connections; 4) Monitor WebSocket traffic for anomalous connection attempts or unusual command patterns indicative of impersonation or manipulation; 5) Employ logging and alerting on OCPP command issuance and reception to detect unauthorized activity promptly; 6) Conduct regular security audits and penetration testing focused on the charging infrastructure communication channels; 7) Consider deploying intrusion detection/prevention systems (IDS/IPS) tailored to OCPP protocol anomalies; 8) Educate operational staff about the risks and signs of exploitation to enhance incident response readiness. These targeted actions go beyond generic advice by focusing on authentication hardening, network controls, and active monitoring specific to the vulnerability context.