CVE-2026-27772 is a critical security vulnerability identified in the ev.energy product by EV Energy, affecting all versions. The root cause is the absence of proper authentication mechanisms on the WebSocket endpoints that handle Open Charge Point Protocol (OCPP) communications between charging stations and backend systems. Specifically, the WebSocket endpoint allows unauthenticated connections from clients that present a charging station identifier, which can be either known or discovered by an attacker. Once connected, the attacker can impersonate a legitimate charging station, issuing or receiving OCPP commands without restriction. This lack of authentication corresponds to CWE-306 (Missing Authentication for Critical Function). The vulnerability enables attackers to escalate privileges, gain unauthorized control over charging stations, manipulate charging commands, and corrupt data reported to the backend infrastructure. The CVSS v3.1 score of 9.4 reflects the vulnerability's critical nature, with network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity, though availability impact is low. The vulnerability was published on February 27, 2026, with no patches or mitigations currently available, and no known exploits detected in the wild. This flaw poses a significant risk to the security and reliability of EV charging networks relying on ev.energy products.

The impact of CVE-2026-27772 is substantial for organizations operating EV charging infrastructure using ev.energy products. Unauthorized attackers can impersonate legitimate charging stations, leading to unauthorized control over charging operations. This can result in manipulation of charging sessions, such as starting, stopping, or altering charging parameters, potentially causing financial losses, operational disruptions, or safety hazards. Additionally, attackers can corrupt or falsify data reported to backend systems, undermining the integrity of usage records, billing, and monitoring. The confidentiality of charging station identities and operational data is also compromised, which could facilitate further targeted attacks or espionage. Although availability impact is rated low, the integrity and confidentiality breaches alone can severely damage trust in the charging network and cause regulatory compliance issues. Given the critical role of EV charging infrastructure in energy and transportation sectors, this vulnerability could have cascading effects on energy management and smart grid operations if exploited at scale.

To mitigate CVE-2026-27772, organizations should implement strong authentication mechanisms on all WebSocket endpoints handling OCPP communications. This includes enforcing mutual TLS authentication or token-based authentication to verify charging station identities before allowing command exchanges. Network segmentation should be applied to isolate charging station communication channels from public or untrusted networks, reducing exposure to unauthorized access. Monitoring and anomaly detection systems should be deployed to identify unusual connection attempts or command patterns indicative of impersonation attempts. Until official patches or updates are released by EV Energy, organizations should consider disabling remote WebSocket access or restricting it to trusted IP ranges. Additionally, conducting thorough audits of charging station identifiers and rotating them periodically can reduce the risk of identifier discovery. Collaboration with EV Energy for timely patch deployment and sharing threat intelligence related to this vulnerability is essential. Finally, organizations should prepare incident response plans specific to charging infrastructure compromise scenarios.