EVoke Systems Charging Station Management System
Summary
CISA has issued an alert regarding multiple critical vulnerabilities in EVoke Systems Charging Station Management System (CSMS), affecting all versions. These flaws, including missing authentication for critical functions and insufficient session expiration, could allow attackers to gain unauthorized administrative control over charging stations or disrupt services through denial-of-service attacks. The vulnerabilities pose a significant risk to critical infrastructure sectors such as energy and transportation systems.
IFF Assessment
The vulnerabilities enable unauthorized administrative control and disruption of critical charging services, representing a severe threat to infrastructure and operations.
Severity
A CVSS v3 score of 9.4 (Critical) is assigned due to multiple severe vulnerabilities, including missing authentication for critical functions (e.g., WebSocket endpoints), improper restriction of excessive authentication attempts, insufficient session expiration, and insufficiently protected credentials. These issues allow attackers to easily impersonate charging stations, gain unauthorized access, perform unauthorized actions, and achieve privilege escalation, leading to high confidentiality, integrity, and availability impacts.
Defender Context
Defenders responsible for critical infrastructure, especially in the energy and transportation sectors, must immediately address these vulnerabilities in EVoke Systems CSMS. Organizations should seek and apply any vendor-provided fixes or implement robust mitigating controls to prevent unauthorized access and service disruptions to EV charging stations. This incident underscores the ongoing need to secure interconnected IoT and operational technology within critical infrastructure against sophisticated threats.