CVE-2026-40702

Summary

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.

Affected Software

VendorProductVersion RangeStatus
EVokeEVoke CSMSAll versionsaffected

Weaknesses

  • CWE-306: CWE-306

Workarounds

EVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers. EVoke states that the platform will monitor session anomalies including repeated connection attempts, unexpected IP address changes, and abnormal message patterns. Security events will be logged and flagged for operational review. EVoke states that to address the risk of denial-of-service via repeated authentication attempts, EVoke will implement connection rate limiting at the WebSocket gateway layer. These controls will restrict excessive connection attempts from the same source and temporarily block abusive traffic patterns. EVoke states they are developing a lifecycle policy for legacy chargers that cannot support modern OCPP security profiles. This policy will include identification of unsupported EVSE models and risk classification Migration planning with site operators where possible

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References