Missing Authentication in EVoke Systems Charging Station Management System (CVE‑2026‑40702) Enables Unauthorized Admin Control
What It Is – A set of flaws in EVoke Systems’ Charging Station Management System (CSMS) allow unauthenticated access to WebSocket endpoints. Attackers can impersonate charging stations, harvest credentials, and execute privileged actions without any login.
Exploitability – The vulnerabilities are publicly disclosed, have a CVSS v3 score of 9.4, and can be exploited remotely over the network. No public proof‑of‑concept is required; the attack surface is exposed by default.
Affected Products – EVoke Systems Charging Station Management System, all released versions (vers:all/*).
Why It Matters for Compliance & Audit Readiness
- Control Mapping – The missing authentication directly violates SOC 2 CC6.1 (Logical Access) and CC6.2 (Authentication). Mapping this gap to your control framework highlights a concrete deficiency that auditors will probe.
- Continuous Evidence – Demonstrating that you have automated monitoring for authentication failures and session‑expiration controls provides defensible audit evidence and shows due diligence to regulators and enterprise customers.
- Enterprise Buyer Expectations – Energy and transportation operators increasingly require proof of robust access‑control processes before signing contracts; a documented remediation path strengthens your security posture in those negotiations.
Recommended Actions
- Map the flaw to SOC 2 access‑control criteria (CC6.1, CC6.2) and update your control inventory.
- Deploy immediate network‑level segmentation for CSMS endpoints and enforce TLS‑protected WebSocket connections.
- Implement strong authentication (mutual TLS or token‑based) on all management APIs and enforce session‑timeout policies.
- Enable continuous logging and alerting on failed authentication attempts; retain logs for at least 12 months as audit evidence.
- Conduct a rapid penetration test of the CSMS environment to verify remediation.
Source: CISA Advisory – ICSA‑26‑176‑02