Introduction to Today's Threat Landscape
A recent surge in critical vulnerabilities has been discovered in charging infrastructure systems, including CloudCharge, EV2GO, and Mobility46, while a zero-day exploit has been found in Cisco SD-WAN, allowing attackers to bypass authentication and gain administrative privileges. These threats highlight the importance of patching and keeping software up to date to prevent large-scale denial of service, privilege escalation, and corruption of data. According to CISA, multiple vulnerabilities have been discovered in charging infrastructure systems, including missing authentication for critical functions, improper restriction of excessive authentication attempts, and insufficient session expiration.
Critical Vulnerabilities in Charging Infrastructure
Multiple vulnerabilities have been discovered in charging infrastructure systems, including CloudCharge, EV2GO, Mobility46, and SWITCH EV. These vulnerabilities allow attackers to impersonate charging stations, hijack sessions, and manipulate data sent to the backend. Successful exploitation could lead to large-scale denial of service, privilege escalation, and corruption of charging network data. The affected systems are widely deployed across critical infrastructure sectors, including energy and transportation.
For instance, CVE-2026-20781 is a missing authentication for critical function vulnerability in CloudCharge cloudcharge.se, which enables attackers to perform unauthorized station impersonation and manipulate data sent to the backend. This vulnerability occurs because the WebSocket endpoints lack proper authentication mechanisms, allowing an unauthenticated attacker to connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger.
Similarly, CVE-2026-24731 is a missing authentication for critical function vulnerability in EV2GO ev2go.io, which also enables attackers to perform unauthorized station impersonation and manipulate data sent to the backend. The CISA advisory for CloudCharge cloudcharge.se provides more information on the affected versions and remediations. The CISA advisory for EV2GO ev2go.io also provides more information on the affected versions and remediations.
In addition to these vulnerabilities, other issues have been identified in the charging infrastructure systems, including:
- Improper restriction of excessive authentication attempts: This vulnerability allows an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
- Insufficient session expiration: This vulnerability enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station.
- Insufficiently protected credentials: This vulnerability allows an attacker to obtain charging station authentication identifiers, which can be used to impersonate the charging station.
Cisco SD-WAN Zero-Day Vulnerability
A zero-day vulnerability has been discovered in Cisco SD-WAN, allowing attackers to bypass authentication and gain administrative privileges. The vulnerability has been exploited in the wild since 2023, with highly sophisticated hackers targeting vulnerable systems. According to BleepingComputer, Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks.
The SecurityWeek article provides more information on the vulnerability and its exploitation. Cisco has released patches to address the vulnerability, which is considered critical due to its potential impact on network security.
The affected products include:
- Cisco Catalyst SD-WAN Controller (formerly vSmart)
- Cisco Catalyst SD-WAN Manager (formerly vManage)
To mitigate this vulnerability, organizations should apply the patch as soon as possible and take additional measures to secure their networks, such as:
- Implementing a Virtual Private Network (VPN) to encrypt traffic between the controller and managed devices
- Using multi-factor authentication to prevent unauthorized access to the controller and manager
- Conducting regular security audits to identify potential vulnerabilities and weaknesses
Recommendations and Takeaways
To protect against these vulnerabilities, it is essential to patch and keep software up to date. Organizations should perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA recommends users take defensive measures to minimize the risk of exploitation, such as:
- Minimizing network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
- Locating control system networks and remote devices behind firewalls and isolating them from business networks.
- Using more secure methods, such as Virtual Private Networks (VPNs), when remote access is required, recognizing VPNs may have vulnerabilities and should be updated to the most current version available.
Additionally, organizations should:
- Implement recommended cybersecurity strategies for proactive defense of ICS assets.
- Follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
- Keep software up to date and apply patches as soon as possible to prevent exploitation of known vulnerabilities.
- Conduct regular security audits to identify potential vulnerabilities and weaknesses.
- Use multi-factor authentication to prevent unauthorized access to critical systems.
By taking these steps, organizations can reduce the risk of exploitation and protect their charging infrastructure systems and Cisco SD-WAN networks from cyber threats. It is also essential to stay informed about the latest vulnerabilities and patches, and to have a comprehensive incident response plan in place in case of a security breach. Organizations should prioritize patching CVE-2026-20781 and CVE-2026-24731 in CloudCharge and EV2GO systems, respectively, and apply the Cisco patch for CVE-2026-20127 as soon as possible.