CVE-2026-27767 identifies a critical security vulnerability in the SWITCH EV charging platform (swtchenergy.com) related to missing authentication on WebSocket endpoints used for OCPP (Open Charge Point Protocol) communications. The flaw arises because the WebSocket interface does not enforce any authentication or authorization checks when a client connects. Attackers can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier, effectively impersonating that station. Once connected, the attacker can send or receive OCPP commands, which are normally reserved for legitimate charging stations. This unauthorized access allows attackers to escalate privileges, manipulate charging commands, disrupt charging sessions, and corrupt data reported to the backend management systems. The vulnerability affects all versions of the SWITCH EV product, indicating a systemic design flaw. The CVSS 3.1 score of 9.4 reflects the vulnerability's ease of exploitation (network accessible, no authentication required), and its severe impact on confidentiality and integrity of charging infrastructure data, with some impact on availability. Although no public exploits have been reported, the risk remains high due to the critical nature of electric vehicle charging infrastructure and the potential for attackers to cause widespread disruption or data manipulation. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), highlighting the absence of necessary security controls on critical communication channels. The lack of authentication on WebSocket endpoints is a significant oversight, especially given the sensitive operational role of OCPP commands in managing charging stations.

The impact of CVE-2026-27767 is substantial for organizations operating SWITCH EV charging infrastructure globally. Unauthorized access to the OCPP WebSocket endpoint allows attackers to impersonate legitimate charging stations, leading to several risks: 1) Privilege escalation enables attackers to gain control over charging station operations, potentially disrupting charging availability or causing physical damage. 2) Data integrity is compromised as attackers can manipulate or corrupt charging session data sent to backend systems, undermining billing accuracy, usage statistics, and operational monitoring. 3) Confidentiality breaches may occur if sensitive operational data is intercepted or altered. 4) Availability risks arise if attackers disrupt charging sessions or overload backend systems with malicious commands. These impacts can lead to financial losses, reputational damage, regulatory penalties, and erosion of user trust. The vulnerability also poses risks to critical infrastructure resilience, especially as EV charging networks become integral to energy and transportation sectors. Given the global push for electric vehicle adoption, exploitation could affect a wide range of stakeholders including utilities, charging network operators, and end users. The lack of authentication means that attackers do not need credentials or user interaction, increasing the likelihood of automated or large-scale attacks once exploit techniques are developed.

To mitigate CVE-2026-27767 effectively, organizations should: 1) Immediately implement strong authentication and authorization mechanisms on all OCPP WebSocket endpoints to ensure only legitimate charging stations can connect. This may include mutual TLS authentication, token-based authentication, or API keys tied to station identities. 2) Employ network segmentation and firewall rules to restrict access to WebSocket endpoints only to trusted IP ranges or VPNs. 3) Monitor WebSocket connection logs for anomalous activity such as unexpected station identifiers or unusual command patterns to detect potential impersonation attempts. 4) Validate all incoming OCPP commands on the backend for consistency and authorization before execution. 5) Conduct a thorough security review of the entire charging infrastructure communication stack to identify and remediate other missing authentication or authorization controls. 6) Engage with SWITCH EV for patches or updates addressing this vulnerability and apply them promptly once available. 7) Educate operational staff about the risks of unauthenticated access and establish incident response plans specific to charging infrastructure compromise. 8) Consider deploying intrusion detection systems (IDS) or anomaly detection solutions tailored to OCPP traffic patterns. These measures go beyond generic advice by focusing on protocol-specific controls, active monitoring, and layered defenses tailored to the unique environment of EV charging networks.