EV2GO WebSocket Session Hijacking Vulnerability

A vulnerability in the WebSocket backend of EV2GO's charging station management system allows for session hijacking or shadowing. The issue arises because the system uses charging station identifiers to associate sessions but permits multiple endpoints to connect using the same identifier. This implementation leads to predictable session identifiers, where the most recent connection can displace the legitimate charging station and intercept backend commands intended for it. As a result, unauthorized users may authenticate as other users, or a malicious actor could overwhelm the backend with valid session requests, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability could allow attackers to impersonate charging stations, hijack sessions, misroute legitimate traffic, causing a large-scale denial-of-service, and manipulate data sent to the backend.

Remediation

EV2GO did not respond to CISA's request for coordination. Contact EV2GO through their contact page for more information.