EV2GO WebSocket Authentication Vulnerability Allowing Unauthorized Station Impersonation
Vulnerability
A vulnerability exists in the WebSocket endpoints of EV2GO's charging management platform, ev2go.io, all versions. The issue arises from a lack of proper authentication, which enables attackers to impersonate charging stations and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier and issue or receive OCPP commands as if they were a legitimate charger. This vulnerability could lead to unauthorized control of charging infrastructure, privilege escalation, corruption of charging network data, and large-scale denial-of-service by misrouting legitimate traffic.
Impact
Exploitation of this vulnerability could allow for unauthorized impersonation of charging stations, hijacking of sessions, suppression or misrouting of legitimate traffic, causing large-scale denial-of-service, and manipulation of data sent to the backend.
Remediation
EV2GO did not respond to CISA's request for coordination. Contact EV2GO using their contact page for more information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.