EVoke CSMS faces CVSS 9.4 CVE-2026-40702 takeover flaw

CISA’s advisory gives EVoke Systems Charging Station Management System an all-versions exposure in a critical infrastructure setting. CISA lists worldwide deployments in the Energy and Transportation Systems sectors, and assigns CVE-2026-40702 a CVSS 3.1 score of 9.4. The WebSocket endpoints lack authentication, allowing an attacker to impersonate charging stations, gain unauthorized access to sensitive data or perform unauthorized actions. CISA also identifies CVE-2026-50176, a missing restriction on WebSocket authentication requests that may support denial-of-service or brute-force attacks.

The remediation path turns on charger firmware as much as the EVoke platform. EVoke says its Charging Station Management System supports Open Charge Point Protocol (OCPP) Security Profiles 0 through 3, but the effective profile depends on electric vehicle supply equipment (EVSE) firmware. EVoke says it will prioritize supported chargers for migration to Profile 2, Transport Layer Security with basic authentication, or Profile 3, mutual TLS with client certificates. Certain legacy models, including chargers originally produced by EVBox, are no longer manufacturer-supported and cannot be upgraded to those stronger profiles.

For those Profile 0 or 1 devices, EVoke is implementing server-side controls: allow-listed charger IDs, rejection of unknown IDs, one active connection per charger ID, anomaly monitoring for repeated attempts and unexpected IP changes, WebSocket gateway rate limiting and a lifecycle policy for unsupported EVSE. Operators, primes, C3PAOs and state CISOs should treat the advisory as an inventory and evidence problem: which chargers can move to Profile 2 or 3, which remain on compensating controls, and whether those controls are enforced in production.