CVSS 9.4 Flaw Lets Attackers Hijack EV Charging Stations

A critical authentication bypass in the Open Charge Point Protocol (OCPP) allows attackers to impersonate EV charging stations and manipulate charging network infrastructure. CVE-2026-20781 was published February 27, 2026, with a CVSS score of 9.4.

The vulnerability affects OCPP WebSocket endpoints that lack authentication mechanisms, enabling unauthenticated attackers to connect and issue commands as if they were legitimate charging stations. No patch exists at time of publication—organizations must implement network-level mitigations.

How the Attack Works

OCPP is the standard communication protocol between EV charging stations and central management systems. Charging stations connect to backend systems via WebSocket to report status, authenticate users, process payments, and receive configuration updates.

CVE-2026-20781 exploits a fundamental design flaw: some OCPP implementations don't authenticate WebSocket connections. An attacker who can reach the WebSocket endpoint needs only a valid station identifier—often predictable or discoverable—to:

1. Connect to the management system posing as a legitimate station
2. Report false telemetry data (fake charging sessions, manipulated energy usage)
3. Receive commands intended for the real station
4. Potentially initiate or terminate charging sessions

The attack requires no credentials. Network access to the OCPP endpoint and knowledge of a station identifier are sufficient.

Who's Affected

The CloudCharge platform is confirmed vulnerable, though the flaw likely affects other OCPP implementations lacking endpoint authentication. Organizations operating charging networks should audit their deployments regardless of vendor.

Affected parties include:

• Utility companies operating public charging networks
• Fleet operators managing corporate or municipal EV infrastructure
• Property owners with charging stations in parking facilities
• Municipalities running public charging programs

The attack surface is significant. Public charging stations often expose their management interfaces to the internet for remote monitoring and maintenance.

Real-World Impact

Successful exploitation enables several attack scenarios:

Energy theft: Attackers could impersonate stations to falsify charging records, enabling free energy consumption or billing fraud.

Infrastructure disruption: Manipulated status data could trigger false alarms, automatic shutdowns, or prevent legitimate users from charging. This echoes concerns raised about critical infrastructure targeting in utility sectors.

Data corruption: Backend systems relying on station-reported data for billing, capacity planning, and maintenance would operate on poisoned information.

Lateral movement: Compromised management systems could serve as pivot points into broader IT infrastructure, particularly concerning given the persistent access techniques attackers have demonstrated against network infrastructure.

Immediate Mitigations

With no vendor patch available, organizations should implement defense-in-depth:

1. Restrict WebSocket access to known IP ranges and authenticated network segments
2. Deploy Web Application Firewalls with rules to detect unauthorized WebSocket connections
3. Implement mutual TLS between stations and management systems
4. Monitor for anomalous connection patterns, particularly connections from unexpected IP addresses or duplicate station identifiers
5. Audit station identifiers for predictable patterns that could be enumerated

Longer-term, pressure vendors to implement proper authentication on OCPP endpoints. The protocol itself supports authentication—this vulnerability exists in implementations that skip it for convenience.

Why This Matters

EV charging infrastructure is critical infrastructure. As electric vehicle adoption accelerates, these networks become more attractive targets for disruption, whether by nation-state actors seeking to destabilize energy systems or criminals looking for fraud opportunities.

CVE-2026-20781 demonstrates a recurring IoT security pattern: protocols designed for trusted environments being deployed on untrusted networks without adding authentication. We've seen this movie before with industrial control systems, and the consequences for ICS/SCADA security continue to unfold.

Organizations operating EV charging infrastructure should treat this disclosure as a wake-up call. Audit your OCPP deployments now, before attackers do it for you.