Three Critical Vulnerabilities Disclosed in Hydro-Québec's EV Charging Station Backend
CISA has issued an advisory detailing three critical vulnerabilities in Hydro-Québec's Le Circuit Electrique charging station backend, potentially allowing for privilege escalation and denial-of-service attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory highlighting three critical vulnerabilities affecting Hydro-Québec's Le Circuit Electrique charging station backend. These flaws, present in versions prior to June 2026, could enable attackers to gain elevated privileges or disrupt the service.
The first vulnerability, CVE-2026-20744, stems from an improper access control issue. The charging station's websocket endpoint accepts connections without adequate authentication. This oversight could allow an unauthenticated attacker to escalate their privileges within the system, potentially gaining unauthorized control over charging station operations.
Another critical vulnerability, CVE-2026-42952, relates to a lack of authentication attempt throttling. Previously, the charging station backend did not limit the number of repeated authentication attempts. This deficiency could be exploited by an attacker to conduct a denial-of-service (DoS) attack, overwhelming the system with excessive login requests and rendering it inoperable.
The third identified vulnerability, CVE-2026-44383, permits an attacker to overwhelm the backend system. The system allows multiple instances of malicious Open Charge Point Protocol (OCPP) clients to connect simultaneously using the same charging station ID. This could enable an attacker to deploy numerous malicious clients, leading to a DoS condition by exhausting backend resources.
These vulnerabilities carry significant risk, with CVSS scores indicating critical severity. CVE-2026-20744 is rated at a CVSS v3.1 base score of 9.8 (CRITICAL), while CVE-2026-42952 and CVE-2026-44383 are rated at 7.5 (HIGH) and 8.7 (HIGH) respectively in CVSS v4.0.
In response to these findings, Hydro-Québec has implemented several mitigation strategies. The company has updated the majority of its charging stations to disable the OCPP protocol, thereby removing the attack vector for these specific vulnerabilities. For charging stations that still rely on OCPP, Hydro-Québec has introduced authentication systems to bolster security.
CISA recommends that organizations minimize network exposure for all control system devices, ensuring they are not accessible from the internet. Isolating control system networks behind firewalls and using secure remote access methods like VPNs are also advised. Organizations are encouraged to perform thorough impact and risk assessments before deploying any defensive measures.
While no known public exploitation targeting these specific vulnerabilities has been reported to CISA at this time, the critical nature of the flaws underscores the importance of timely patching and robust security practices within the critical infrastructure sector, particularly for electric vehicle charging networks.