CVE-2026-27773 is a vulnerability classified under CWE-522 (Insufficiently Protected Credentials) affecting all versions of SWITCH EV's swtchenergy.com platform. The core issue is that authentication identifiers for electric vehicle charging stations are publicly accessible via web-based mapping platforms. These identifiers, which should be confidential, are exposed without requiring any authentication or user interaction, allowing any remote attacker to obtain them. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N). The impact primarily affects confidentiality and integrity, as attackers can potentially use the exposed identifiers to impersonate legitimate users or manipulate charging station operations. There is no impact on availability. The CVSS 3.1 base score of 6.5 reflects a medium severity, indicating a moderate risk. No patches or fixes have been published yet, and no known exploits have been reported in the wild. The vulnerability was reserved and published in February 2026 by ICS-CERT. The exposure of authentication identifiers on public mapping platforms suggests a design or configuration flaw in how SWITCH EV integrates or shares charging station data. This could lead to unauthorized access or fraudulent use of charging infrastructure if attackers leverage the exposed credentials. Organizations using SWITCH EV products should review their data sharing policies and access controls to prevent unauthorized disclosure of sensitive authentication information.

The exposure of charging station authentication identifiers can lead to unauthorized access and use of electric vehicle charging infrastructure. Attackers could potentially impersonate legitimate users or manipulate charging sessions, leading to fraudulent charging, billing issues, or disruption of service integrity. While availability is not directly impacted, the integrity and confidentiality of authentication data are compromised, which could undermine trust in the charging network. For organizations operating or managing SWITCH EV charging stations, this could result in financial losses, reputational damage, and increased operational risks. The vulnerability's ease of exploitation (no authentication or user interaction required) increases the likelihood of opportunistic attacks. Additionally, attackers might use the exposed identifiers as a foothold for further attacks on the network or infrastructure. The lack of patches means the vulnerability remains open until addressed, prolonging exposure. Overall, the impact is moderate but significant given the critical role of EV charging infrastructure in energy and transportation sectors.

1. Immediately restrict public access to authentication identifiers by reviewing and modifying web-based mapping platform configurations to ensure sensitive data is not exposed. 2. Implement strong access controls and authentication mechanisms on all platforms displaying charging station information, ensuring that only authorized users can view or retrieve authentication credentials. 3. Conduct a thorough audit of data sharing policies and integrations between SWITCH EV systems and third-party mapping services to identify and remediate any inadvertent data leaks. 4. Employ encryption and tokenization techniques for authentication identifiers to prevent direct exposure of sensitive credentials. 5. Monitor network traffic and logs for unusual access patterns or attempts to use exposed identifiers fraudulently. 6. Engage with SWITCH EV vendor support to obtain updates or patches once available and apply them promptly. 7. Educate operational staff about the risks associated with credential exposure and enforce strict operational security practices. 8. Consider implementing anomaly detection systems to identify potential misuse of charging stations stemming from this vulnerability. These steps go beyond generic advice by focusing on data exposure controls, integration audits, and proactive monitoring tailored to the specific nature of this vulnerability.