CISA has issued an industrial control systems advisory covering four significant vulnerabilities in the EVoke Systems Charging Station Management System (CSMS), a platform used to manage electric vehicle supply equipment (EVSE) across the energy and transportation sectors worldwide. All current versions of the EVoke CSMS are affected.
Vulnerability Overview
The advisory identifies two CVEs at the core of the disclosed weaknesses:
- CVE-2026-40702 (CVSS v3.1: 9.4 Critical): WebSocket endpoints in the CSMS lack proper authentication mechanisms, allowing attackers to impersonate registered charging stations without any credentials. Successful exploitation enables unauthorized access to sensitive data, arbitrary command execution, privilege escalation, and potential compromise of the broader management system.
- CVE-2026-50176: The WebSocket API imposes no restrictions on the number of authentication attempts, leaving the platform open to brute-force credential attacks and denial-of-service conditions.
Beyond these two CVEs, CISA also flags missing authentication for critical functions, insufficient session expiration, and insufficiently protected credentials as part of the broader weakness profile (CWE-306 and related issues).
Why Remediation Is Complicated
EVoke’s CSMS is hardware-agnostic and must interoperate with charger hardware from multiple OEMs, many of which implement different Open Charge Point Protocol (OCPP) security profiles. The platform currently supports all OCPP security profiles 0 through 3, but the effective security posture of any given charger connection depends entirely on what the charger’s firmware supports.
Legacy chargers installed before stronger authentication mechanisms were standardized are limited to Security Profile 0 or 1, which offer minimal authentication guarantees. Some of these devices, including certain models originally produced by EVBox, are no longer supported by their manufacturers and cannot be upgraded.
Interim Mitigations
EVoke has outlined several protective measures being implemented while longer-term fixes are developed:
- Charger allow-listing: Only charger IDs registered in the EVoke CSMS inventory database will be accepted. Unknown identifiers will be rejected at the connection layer.
- Single-session enforcement: Only one active connection per charger ID will be permitted at a time. Duplicate connection attempts will result in the new request being rejected or the prior session terminated.
- Connection rate limiting: WebSocket gateway-level controls will restrict excessive connection attempts from the same source and temporarily block abusive traffic patterns.
- Anomaly monitoring: The platform will log and flag repeated connection attempts, unexpected IP address changes, and abnormal message patterns for operational review.
- OEM migration program: For chargers whose firmware can still be updated, EVoke is working with OEM partners to migrate devices to Security Profile 2 (TLS with basic authentication) or Security Profile 3 (mutual TLS with client certificates).
- Legacy lifecycle policy: EVoke is developing a formal policy to identify unsupported EVSE models, classify associated risk, and coordinate migration planning with site operators where feasible.
Operational Context
The vulnerabilities affect deployments globally, spanning critical infrastructure in the energy and transportation sectors. Security teams operating EV charging networks that rely on EVoke CSMS should treat the WebSocket authentication gap as an immediate priority, particularly in environments where legacy chargers cannot be upgraded to stronger OCPP profiles. Organizations can contact EVoke directly through the vendor’s contact page for guidance specific to their deployment.
