CISA has identified critical security vulnerabilities in Everon's Open Charge Point Protocol backend systems that could allow attackers to compromise electric vehicle charging infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about critical security vulnerabilities affecting Everon's Open Charge Point Protocol (OCPP) backend systems, which are widely used in electric vehicle charging infrastructure across the United States.
The vulnerabilities, which have been assigned CVE identifiers, could allow malicious actors to gain unauthorized access to charging stations, potentially disrupting power delivery, manipulating charging sessions, or even causing physical damage to connected vehicles and infrastructure.
According to CISA's alert, the flaws exist in the authentication and authorization mechanisms of Everon's OCPP backend software. An attacker who successfully exploits these vulnerabilities could bypass security controls and execute arbitrary commands on affected charging stations. The agency notes that successful exploitation could lead to service disruption, data theft, or even safety hazards if charging operations are manipulated.
Everon, a Netherlands-based company that provides EV charging management software, has acknowledged the vulnerabilities and released patches to address the security issues. The company has urged all customers running affected versions of their OCPP backend software to update immediately.
The timing of this disclosure is particularly concerning given the rapid expansion of EV infrastructure in the United States. With federal and state governments pushing for widespread EV adoption, charging networks have become critical infrastructure that requires robust security measures.
CISA has not identified any specific threat actors exploiting these vulnerabilities at this time, but the agency emphasizes that the nature of the flaws makes them attractive targets for both criminal groups and nation-state actors interested in disrupting critical infrastructure.
For organizations running Everon OCPP backend systems, CISA recommends:
- Immediately updating to the latest patched versions of the software
- Implementing network segmentation between charging infrastructure and other corporate networks
- Enabling multi-factor authentication for all administrative access
- Monitoring network traffic for unusual patterns that might indicate exploitation attempts
- Conducting penetration testing to verify that patches have been properly applied
The agency also notes that this incident highlights the broader security challenges facing the EV charging industry as it scales rapidly. Many charging networks were designed with convenience and interoperability in mind, sometimes at the expense of security.
Industry experts suggest that as EV adoption continues to grow, security standards for charging infrastructure will need to evolve to address emerging threats. This includes implementing more robust authentication protocols, improving network security, and establishing incident response procedures specific to charging infrastructure.
For EV charging network operators, the Everon vulnerabilities serve as a reminder that critical infrastructure requires continuous security assessment and rapid response to emerging threats. The interconnected nature of modern charging networks means that a vulnerability in one component can potentially affect thousands of charging stations across multiple operators.
CISA continues to monitor the situation and will provide updates if new information becomes available about exploitation attempts or additional vulnerabilities affecting EV charging infrastructure.
Comments
Please log in or register to join the discussion