A sweeping coordinated disclosure from the Cybersecurity and Infrastructure Security Agency (CISA) on February 26, 2026, named CloudCharge, SWTCH Energy, EV Energy (ev.energy), Chargemap, Mobility46, and EV2GO in a series of Industrial Control Systems (ICS) advisories that collectively exposed a structural security failure at the heart of the global electric vehicle charging ecosystem. Each advisory described virtually the same vulnerability classes — missing authentication, session hijacking, absent rate limiting, and publicly exposed credentials — all targeting the WebSocket communication layer that connects charging stations to their cloud management backends through the Open Charge Point Protocol (OCPP).
The CloudCharge advisory (ICSA-26-057-03) earned a CVSS v3 score of 9.4, placing it squarely in the critical severity range. CISA classified the affected sectors as Energy and Transportation Systems — both designated critical infrastructure sectors under Presidential Policy Directive 21. Parallel advisories were issued under ICSA-26-057-04 through ICSA-26-057-08 for the remaining vendors, all carrying high or critical severity scores and describing near-identical attack surfaces.
What makes this disclosure unusual is not just the severity of the individual findings. It is the pattern — the same fundamental security defects appearing independently across multiple commercial platforms from different vendors in different countries, all at once. This is not a coincidence. It is the predictable consequence of an entire industry building on protocol foundations that were never engineered to be secure.
Four CVEs, One Devastating Picture
CISA's CloudCharge advisory enumerated four distinct CVEs affecting all versions of the platform. Together, they form a comprehensive indictment of the platform's WebSocket-based OCPP communication layer, deployed worldwide with no meaningful security controls.
CVE-2026-20781 (CVSS 9.4 — Critical) — Missing Authentication for Critical Function (CWE-306): The WebSocket endpoints handling OCPP communications between charging stations and the cloud management backend have no proper authentication mechanism. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier and issue or receive OCPP commands as though they were a legitimate charger. According to the CISA advisory, this opens the door to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
CVE-2026-25114 (CVSS 7.5 — High) — Improper Restriction of Excessive Authentication Attempts (CWE-307): The WebSocket API imposes no restrictions on the number of authentication requests. Without rate limiting, an attacker can flood the system to suppress or misroute legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
CVE-2026-27652 (CVSS 7.3 — High) — Insufficient Session Expiration (CWE-613): The WebSocket backend uses charging station identifiers to associate sessions but permits multiple endpoints to connect using the same session identifier. This produces predictable session tokens and enables session hijacking or shadowing. The latest connection displaces the legitimate charger and receives backend commands meant for that station.
CVE-2026-20733 (CVSS 6.5 — Medium) — Insufficiently Protected Credentials (CWE-522): Charging station authentication identifiers are publicly accessible through web-based mapping platforms. The credentials needed to impersonate a charging station are sitting in the open, discoverable by anyone who looks.
Chaining these vulnerabilities together allows attackers to impersonate charging stations, hijack active sessions, cause large-scale denial of service by suppressing or misrouting legitimate traffic, and manipulate data flowing to backend systems. The station identifiers needed to begin exploitation are already publicly discoverable.
The Researchers Who Exposed an Industry
The vulnerabilities across all affected vendors were reported to CISA by two researchers from Concordia University in Montreal: Khaled Sarieddine and Mohammad Ali Sayed. Their work is not an isolated finding — it is the culmination of years of systematic security research into the EV charging ecosystem that has progressively revealed deeper and more alarming weaknesses at every layer.
Sarieddine completed his PhD in Information and Systems Engineering at Concordia under the supervision of Professors Chadi Assi and Mourad Debbabi, building an extensive body of research targeting OCPP backend vulnerabilities, EV charging mobile application security, and the implications of compromised charging stations on power grid stability. Sayed, also from Concordia's Institute for Information Systems Engineering, has conducted parallel research on power grid security and the physical consequences of cyberattacks against EV infrastructure.
Their landmark 2024 paper, presented at the 19th ACM Asia Conference on Computer and Communications Security (ASIACCS) in Singapore, systematically analyzed the OCPP backend communication layer across 16 representative live EV charging management systems worldwide. They discovered six zero-day vulnerabilities that could be chained together to create what they termed "phantom" charging stations — software-based imposters that connect to legitimate cloud management backends, displace real chargers, and intercept or manipulate commands and data.
The government-backed infrastructure expansion resulted in the rushed integration of a significant number of insecure EV Charging Stations, which are vulnerable to cyber-attacks. — Sarieddine et al., ACM ASIACCS 2024
Professor Chadi Assi described the research as a discovery of vulnerabilities that could be linked together to initiate severely harmful attacks against the OCPP backends of 16 global EV charging network operators. That academic work has now translated directly into real-world vulnerability disclosures affecting production systems used by charging networks across North America, Europe, and beyond.
OCPP: The Protocol That Built an Industry — Without Security
Understanding why these vulnerabilities are so pervasive requires understanding the Open Charge Point Protocol. Developed by the Open Charge Alliance, OCPP is the dominant communication standard governing how individual charging stations communicate with their cloud-based management systems. It handles everything from initiating and terminating charging sessions to reporting energy consumption, processing payments, managing user authorization, and distributing firmware updates.
OCPP version 1.6 remains the protocol version that the vast majority of deployed charging stations worldwide actually run. It was designed primarily for interoperability — making it straightforward for chargers from different manufacturers to work with different backend management platforms. Security was not a design priority. The protocol in its 1.6 incarnation lacks mandatory mutual authentication between charging stations and management systems, provides no built-in mechanism for encrypted communications, and relies on WebSocket connections that can be trivially impersonated if an attacker knows a station's identifier.
OCPP 2.0.1 introduced security improvements including X.509 certificate-based device management and TLS support. However, OCPP 2.0.1 is not backward compatible with 1.6. Upgrading requires hardware changes to the charging stations themselves, representing a massive capital expenditure that many operators are unwilling or unable to undertake.
A comprehensive 2025 analysis published in the International Journal of Information Security by researchers including members of the same Concordia team confirmed that OCPP carries significant cyber risks stemming from weak authentication mechanisms and improper session handling, and specifically highlighted the backward incompatibility challenge as a barrier to adopting more secure protocol versions.
Researchers at Idaho National Laboratory have separately demonstrated proof-of-concept exploits against OCPP 1.6, including machine-in-the-middle attacks that could remotely terminate charging sessions, prevent charging visibility and control, and gain root access to charging equipment through malicious firmware updates. Their 2023 paper, authored by Jay Johnson, David Elmo, George Fragkos, and colleagues, found that OCPP 1.6 could be protected from these attacks by wrapping communications in secure shell (SSH) tunnels or IPSec — but only if operators took the initiative to implement these compensating controls.
Argonne National Laboratory's 2024 analysis of the EV charging infrastructure security landscape found that while some larger charging network operators pursuing FedRAMP authorization demonstrated stronger security postures, smaller networks frequently exposed insecure servers, unprotected administrative panels, and known vulnerabilities to the public internet. Their researchers used publicly available tools like Shodan and Nmap to locate multiple charger management systems online with weak credentials and outdated services.
A Multi-Billion-Dollar Attack Surface
The timing of these disclosures is significant. According to Fortune Business Insights, the global EV charging station market was valued at approximately $18.16 billion in 2025 and is projected to grow to $22.93 billion in 2026 — part of a trajectory toward nearly $140 billion by 2034. As of January 2025, the United States alone had over 75,000 public charging stations with more than 207,000 individual charging ports, according to the Federal Highway Administration.
India's PM E-DRIVE scheme, launched in September 2025, allocated $1.1 billion to install 72,000 public charging stations nationwide. China continues to dominate global deployment — BYD alone announced plans to build 4,000 of its new Megawatt Flash Charging stations, with partnerships targeting over 15,000 high-power charging points across the country. In Europe, BYD has committed to approximately 3,000 fast-charging stations by the end of 2026.
Every one of these stations communicates with a cloud management system. Many of those systems use OCPP. And as the Concordia researchers have demonstrated across years of systematic testing, many of those OCPP implementations are running with their digital front doors wide open.
The Vendor Silence Problem
Perhaps the single most troubling dimension of the February 26 disclosures is what happened — or rather, failed to happen — when CISA attempted to coordinate remediation. The CloudCharge advisory states plainly that the vendor did not respond to CISA's coordination requests. Identical language appears in the advisories for SWTCH Energy, EV Energy, Chargemap, and Mobility46. Multiple vendors, across multiple countries, all receiving coordinated vulnerability disclosure notices from the United States' lead cybersecurity agency — and none of them engaging.
The coordinated vulnerability disclosure (CVD) framework depends on vendors actively participating in the remediation process. When vendors go silent, CISA faces a stark choice: sit on critical vulnerability information indefinitely while production systems remain exposed, or publish advisories to warn operators and the public without vendor-provided patches or mitigations. CISA chose to publish.
In the absence of vendor patches, CISA's mitigation guidance recommended that operators minimize network exposure for all control system devices and ensure they are not directly accessible from the internet, place control system networks and remote devices behind firewalls isolated from business networks, and use secure remote access methods such as VPNs when remote connectivity is required.
Broader Context: An Ecosystem Under Pressure
The CloudCharge wave was not an isolated event. In November 2025, Southwest Research Institute (SwRI) disclosed a separate vulnerability in the ISO 15118 vehicle-to-grid communications standard, prompting CISA advisory ICSA-25-303-01. SwRI engineers demonstrated that the Signal Level Attenuation Characterization (SLAC) protocol used to pair vehicles with chargers could be spoofed, enabling machine-in-the-middle attacks between an EV and its charger. SwRI engineer Mark Johnson emphasized that the flaw stems from the industry standard itself, meaning it could affect a variety of vehicle manufacturers. He expressed hope that the findings would encourage manufacturers to continue adopting technologies such as public key infrastructure in the EV charging space.
The IEEE, ACM, and independent research labs at Sandia, Idaho, Pacific Northwest, and Argonne national laboratories have all published work converging on the same conclusion: the EV charging ecosystem was built for speed and interoperability, and the accumulated security debt is now coming due. Sandia National Laboratories' comprehensive review of EV charger cybersecurity vulnerabilities documented risks at every interface — from vehicle-to-charger communications to cloud management backends to physical access ports left exposed on production equipment.
The European Union's Alternative Fuels Infrastructure Regulation (AFIR) mandates charging station deployment targets but does not impose specific cybersecurity requirements on the charging infrastructure itself. The U.S. NEVI program similarly emphasizes deployment metrics and uptime standards without establishing security baselines for the communication protocols underpinning those chargers.
What Operators Should Do Now
For charging network operators running CloudCharge or any of the other affected platforms, the immediate priority is network segmentation and access control. If your charging management system's WebSocket endpoints are reachable from the public internet — and the architecture of cloud-managed charging infrastructure means many are — you are exposed. The authentication identifiers for your stations may already be publicly discoverable through mapping platforms.
- Audit OCPP backend implementations immediately. Pay particular attention to WebSocket authentication, session management, and rate limiting. Identify whether your platform enforces mutual authentication between chargers and the management backend.
- Implement network segmentation as a baseline. Charging infrastructure control networks should be isolated from business networks and not directly accessible from the public internet. This is the single highest-impact mitigation available today.
- Rotate or supplement exposed station identifiers. If your charging station identifiers are discoverable through public mapping platforms, they should be treated as compromised credentials. Supplement them with additional authentication factors where the platform supports it.
- Evaluate migration paths to OCPP 2.0.1. Where hardware constraints make full migration impractical, implement compensating controls such as SSH tunnels or IPSec wrappers around OCPP 1.6 communications, consistent with the approach demonstrated by Idaho National Laboratory researchers.
- Demand transparency from platform vendors. Vendors who did not engage with CISA's coordinated disclosure process should be challenged on their security practices, incident response capabilities, and plans for addressing these specific CVEs.
The Bottom Line
The February 26 CISA disclosures represent something more significant than a batch of vulnerability reports against individual companies. They are a structural indictment of an industry's approach to security. The same vulnerability classes appearing independently across six different platforms from vendors in Sweden, the United States, the United Kingdom, and France point to a systemic failure rooted in the protocol layer — OCPP 1.6 — that the majority of the world's deployed charging infrastructure still depends on.
The transition to electric transportation is essential. But as Sarieddine, Sayed, and their colleagues at Concordia University have demonstrated through years of rigorous research — and as national laboratories at Idaho, Argonne, Sandia, and SwRI have independently confirmed — the infrastructure supporting that transition was built on foundations that were never engineered to withstand adversarial pressure. The question is no longer whether the security debt exists. It is whether the industry will address it before the first major real-world exploitation forces the issue.
CISA's advisory noted that no known public exploitation targeting these specific vulnerabilities has been reported. That should provide no comfort. The attack surface is documented. The tools are available. The credentials are public. The clock is running.