CVE-2026-27772 is a critical security vulnerability identified in the ev.energy product by EV Energy, affecting all versions. The root cause is the absence of authentication mechanisms on WebSocket endpoints that handle Open Charge Point Protocol (OCPP) communications between charging stations and the backend system. An attacker can connect to these WebSocket endpoints using a known or discovered charging station identifier without any authentication or authorization checks. This allows the attacker to impersonate a legitimate charging station, issuing or receiving OCPP commands as if they were the authentic device. The lack of authentication constitutes a CWE-306 (Missing Authentication for Critical Function) weakness. Exploiting this vulnerability can lead to privilege escalation, unauthorized control over charging infrastructure, and manipulation or corruption of charging network data reported to the backend. The vulnerability has a CVSS v3.1 base score of 9.4, indicating critical severity with network attack vector, no privileges required, no user interaction, and high impact on confidentiality and integrity, with a low impact on availability. Although no patches or fixes are currently available, the vulnerability poses a significant risk to the integrity and security of EV charging networks that rely on ev.energy's platform. The vulnerability was published on February 27, 2026, and no known exploits have been observed in the wild yet. Given the critical nature of charging infrastructure in energy and transportation sectors, this vulnerability demands immediate attention from operators and vendors.

The impact of CVE-2026-27772 is substantial for organizations operating EV charging infrastructure using ev.energy's platform. Unauthorized attackers can impersonate legitimate charging stations, allowing them to manipulate charging commands, disrupt charging sessions, or falsify data sent to backend systems. This can lead to incorrect billing, denial of service to legitimate users, and potential damage to physical charging hardware through malicious commands. The integrity and confidentiality of charging network data are severely compromised, which may affect operational decision-making and regulatory compliance. Additionally, attackers gaining control over charging infrastructure could use it as a foothold for lateral movement within critical energy or transportation networks, increasing the risk of broader cyberattacks. The vulnerability's ease of exploitation (no authentication or user interaction required) and the critical role of EV charging infrastructure in modern energy ecosystems amplify the threat's severity. Organizations worldwide relying on ev.energy for EV charging management face risks of operational disruption, financial loss, reputational damage, and potential safety hazards.

Since no official patches are currently available for CVE-2026-27772, organizations should implement immediate compensating controls. First, restrict network access to WebSocket endpoints by enforcing strict firewall rules and network segmentation to limit connections only to trusted charging stations and backend systems. Deploy Web Application Firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) capable of monitoring and blocking unauthorized WebSocket traffic. Implement anomaly detection to identify unusual OCPP command patterns or unexpected station identifiers. Coordinate with EV Energy to obtain updates on patch releases and apply them promptly once available. Additionally, consider deploying mutual TLS authentication or VPN tunnels to secure communications between charging stations and backend servers, adding an authentication layer externally. Regularly audit charging station identifiers and revoke or rotate them if possible to reduce the risk of identifier discovery. Finally, maintain comprehensive logging and monitoring of charging infrastructure activities to detect and respond to potential exploitation attempts quickly.