CVE-2026-27767 identifies a critical security flaw in SWITCH EV's charging station management system accessible via swtchenergy.com. The vulnerability arises from missing authentication controls on WebSocket endpoints that handle OCPP communications between charging stations and backend systems. Attackers can exploit this by connecting to the OCPP WebSocket endpoint using a legitimate or discovered charging station identifier without any authentication. This allows them to impersonate a charging station, issuing commands or intercepting data intended for the backend. The lack of authentication constitutes a CWE-306 weakness, enabling unauthorized privilege escalation and control over charging infrastructure. The vulnerability impacts all versions of the product and is remotely exploitable over the network without any user interaction or privileges. The CVSS 3.1 score of 9.4 reflects the high confidentiality and integrity impact, with a low attack complexity and no required privileges. This flaw could lead to unauthorized manipulation of charging sessions, disruption of electric vehicle charging services, and corruption of operational data, potentially affecting grid management and billing systems. No patches or mitigations are currently listed, and no known exploits have been reported in the wild as of the publication date.

The vulnerability poses a severe risk to organizations operating SWITCH EV charging infrastructure worldwide. Unauthorized attackers can impersonate legitimate charging stations, leading to unauthorized control over charging processes, manipulation of charging data, and potential disruption of electric vehicle charging services. This can result in financial losses due to incorrect billing or service denial, damage to operational integrity, and erosion of customer trust. Additionally, compromised charging infrastructure could be leveraged as a foothold for further attacks on critical energy infrastructure or grid management systems. The confidentiality of operational data is at risk, as attackers can intercept or alter communications. The integrity of charging sessions and backend data is compromised, potentially causing cascading effects on energy distribution and management. Although availability impact is rated low, targeted attacks could still disrupt services temporarily. The broad impact scope and ease of exploitation make this a critical threat for energy providers, charging network operators, and related stakeholders.

To mitigate CVE-2026-27767, organizations should immediately implement strong authentication mechanisms on all WebSocket endpoints handling OCPP communications. This includes enforcing mutual TLS authentication or token-based authentication to verify the identity of charging stations before allowing command exchange. Network segmentation should be applied to isolate charging infrastructure from other critical systems, limiting exposure. Monitoring and logging of WebSocket connections and OCPP commands should be enhanced to detect anomalous or unauthorized activity promptly. Organizations should conduct thorough audits of charging station identifiers and revoke or rotate any that may be compromised or publicly known. Where possible, implement rate limiting and anomaly detection on WebSocket endpoints to prevent abuse. Vendors should be engaged to develop and deploy patches or firmware updates that address the authentication deficiency. Until patches are available, consider deploying Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) with custom rules to block unauthorized WebSocket connections. Finally, educate operational teams on the risks and signs of exploitation to improve incident response readiness.