Critical Flaws in EVoke Charging Station Management System Allow Unauthenticated Control of EV Chargers
CISA warns of multiple vulnerabilities in EVoke Systems' Charging Station Management System, including a missing authentication flaw that could let attackers take remote control of electric vehicle charging stations worldwide.
CISA has issued an advisory warning of a cluster of critical vulnerabilities in the EVoke Systems Charging Station Management System (CSMS), a platform used to monitor and control electric vehicle charging stations across the globe. The flaws, disclosed on June 25, 2026, carry a CVSS score as high as 9.4 and could allow remote attackers to seize administrative control of charging hardware or launch denial-of-service attacks that disrupt charging services.
The advisory details four distinct vulnerabilities: a WebSocket authentication bypass (CVE-2026-40702), a missing rate-limit on authentication attempts (CVE-2026-50176), insufficient session expiration, and insufficiently protected credentials. The most severe, CVE-2026-40702, stems from WebSocket endpoints that fail to require any authentication, letting an attacker impersonate a legitimate charging station. Once connected, the attacker can access sensitive data or perform unauthorized actions, potentially escalating to full system compromise.
The affected product, EVoke CSMS, is deployed across the Energy and Transportation Systems sectors and is used worldwide. The vulnerabilities affect all versions of the platform. EVoke Systems, headquartered in the United States, has acknowledged the issues and is working on mitigations, but the company notes that the underlying problem is compounded by the diversity of charger hardware in the field.
EVoke states that its CSMS must interoperate with chargers from multiple Original Equipment Manufacturers (OEMs) that support different OCPP (Open Charge Point Protocol) security profiles. Many legacy chargers in the deployed network only support Security Profile 0 or 1, which lack robust authentication. Some of these chargers are no longer supported by their original manufacturers and cannot be upgraded to support the stronger Security Profile 2 (TLS with basic authentication) or Profile 3 (mutual TLS).
To address these legacy constraints, EVoke is implementing a series of server-side mitigations. The company plans to enforce allow-listing so that only registered charger IDs are accepted, restrict connections to a single active session per charger ID to prevent session hijacking, and deploy rate limiting on WebSocket connections to blunt brute-force and denial-of-service attempts. EVoke is also developing a lifecycle policy to identify and classify unsupported legacy chargers and work with site operators on migration.
While no active exploitation has been reported, the advisory highlights serious risks for critical infrastructure. CISA recommends that operators of EVoke CSMS immediately review the vendor's mitigation guidance, ensure that all chargers in their fleet are managed under the strongest available OCPP security profile, and contact EVoke for further support. The advisory also urges organizations to isolate CSMS networks from business systems to reduce exposure.
This disclosure underscores a persistent challenge in the electric vehicle charging ecosystem: the long tail of legacy equipment that cannot easily be patched or upgraded. As EV charging infrastructure becomes more central to transportation and energy systems, the gap between modern security standards and legacy hardware will continue to create opportunities for attackers unless industry-wide migration and certification efforts accelerate.