HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Missing Authentication in EVoke Systems Charging Station Management System (CVE‑2026‑40702) Enables Unauthorized Admin Control

EVoke Systems’ CSMS suffers from unauthenticated WebSocket endpoints (CVE‑2026‑40702) that allow attackers to impersonate charging stations and obtain administrative privileges. The flaw affects all deployed versions worldwide, exposing energy and transportation operators to data theft and service disruption. For SOC 2‑compliant organizations, the issue highlights a direct breach of logical‑access controls that must be mapped, monitored, and remediated.

LiveThreat™ Intelligence · 📅 June 25, 2026· 📰 cisa.gov
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
cisa.gov

Missing Authentication in EVoke Systems Charging Station Management System (CVE‑2026‑40702) Enables Unauthorized Admin Control

What It Is – A set of flaws in EVoke Systems’ Charging Station Management System (CSMS) allow unauthenticated access to WebSocket endpoints. Attackers can impersonate charging stations, harvest credentials, and execute privileged actions without any login.

Exploitability – The vulnerabilities are publicly disclosed, have a CVSS v3 score of 9.4, and can be exploited remotely over the network. No public proof‑of‑concept is required; the attack surface is exposed by default.

Affected Products – EVoke Systems Charging Station Management System, all released versions (vers:all/*).

Why It Matters for Compliance & Audit Readiness

  • Control Mapping – The missing authentication directly violates SOC 2 CC6.1 (Logical Access) and CC6.2 (Authentication). Mapping this gap to your control framework highlights a concrete deficiency that auditors will probe.
  • Continuous Evidence – Demonstrating that you have automated monitoring for authentication failures and session‑expiration controls provides defensible audit evidence and shows due diligence to regulators and enterprise customers.
  • Enterprise Buyer Expectations – Energy and transportation operators increasingly require proof of robust access‑control processes before signing contracts; a documented remediation path strengthens your security posture in those negotiations.

Recommended Actions

  • Map the flaw to SOC 2 access‑control criteria (CC6.1, CC6.2) and update your control inventory.
  • Deploy immediate network‑level segmentation for CSMS endpoints and enforce TLS‑protected WebSocket connections.
  • Implement strong authentication (mutual TLS or token‑based) on all management APIs and enforce session‑timeout policies.
  • Enable continuous logging and alerting on failed authentication attempts; retain logs for at least 12 months as audit evidence.
  • Conduct a rapid penetration test of the CSMS environment to verify remediation.

Source: CISA Advisory – ICSA‑26‑176‑02

📰 Original Source
https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →