How is CVE-2026-40702 exploited?

Network reachability (required): The attacker must reach the EVoke CSMS WebSocket endpoints over the network; internet or internal network access to the service is sufficient. Authentication (not-required): No credentials or account of any kind are required; the WebSocket endpoints lack authentication entirely. Victim interaction (not-required): No user action or interaction is needed; the attacker can exploit the endpoint directly without involving any human victim. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

What is the impact of CVE-2026-40702?

Attacker reads sensitive charging station data, session tokens, and operational records stored or transmitted through the CSMS. Attacker writes unauthorized commands or configuration changes to charging stations impersonating legitimate infrastructure. Attacker escalates privileges within the CSMS by acting as a trusted charging station identity, potentially gaining control over the broader system. Service availability is marginally degraded (CVSS VA:L), meaning partial disruption to charging session management is possible but full service crash is not indicated.

Back to search

CRITICALCVE-2026-40702Published 2026-06-25Modified 2026-06-25CNA icscert

CVE-2026-40702: EVoke Systems EVoke CSMS Missing Authentication for Critical Function

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Missing authentication on WebSocket endpoints in EVoke Systems EVoke CSMS allows any network-accessible attacker to impersonate charging stations without credentials. The flaw is reachable over the network with no authentication required and no user interaction needed, as described by the CVSS v4.0 vector (AV:N/PR:N/UI:N). Successful exploitation gives the attacker full read and write access to sensitive system data and the ability to perform unauthorized actions across the charging management system, with the potential to escalate privileges and compromise the entire platform. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection of CVE-2026-40702 is available across every HarborGuard environment - the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images containing EVoke CSMS components. Matching runs against images in both connected registries and active CI/CD pipelines.

Available

Triage

Triage is available using the CVSS v4.0 base score of 9.3 (CRITICAL), weighted against each customer organization's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on configured severity thresholds and ownership rules.

Available

Patch

Because no fix version has been published for EVoke CSMS, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, customers can apply compensating controls through HarborGuard's network policy recommendations to limit exposure of affected WebSocket endpoints.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the EVoke CSMS WebSocket endpoints over the network; internet or internal network access to the service is sufficient.
AuthenticationNot required
No credentials or account of any kind are required; the WebSocket endpoints lack authentication entirely.
Victim interactionNot required
No user action or interaction is needed; the attacker can exploit the endpoint directly without involving any human victim.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

Blast Radius

Attacker reads sensitive charging station data, session tokens, and operational records stored or transmitted through the CSMS.
Attacker writes unauthorized commands or configuration changes to charging stations impersonating legitimate infrastructure.
Attacker escalates privileges within the CSMS by acting as a trusted charging station identity, potentially gaining control over the broader system.
Service availability is marginally degraded (CVSS VA:L), meaning partial disruption to charging session management is possible but full service crash is not indicated.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-40702 at this time, HarborGuard monitors the EVoke advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads with no manual intervention required. While no patch is available, HarborGuard can surface compensating-control recommendations including network policy isolation to restrict inbound WebSocket traffic to trusted sources only, egress filtering to limit lateral movement from a compromised CSMS instance, and feature-flag gating where the deployment platform supports disabling unauthenticated WebSocket bindings. Customers running EVoke CSMS in container workloads should treat this as a critical exposure given the zero-authentication network attack path and review network segmentation policies immediately.

See how HarborGuard automates this

Affected packages

EVoke / EVoke CSMS
All versions

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References

Metrics

Get notified