A critical vulnerability in EVoke Systems’ Charging Station Management System (CSMS) could allow attackers to impersonate electric vehicle charging stations, manipulate charging data, and potentially disrupt grid operations, according to a June 25, 2026 industrial control systems advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The flaw stems from insufficient authentication of WebSocket connections—a core component of the Open Charge Point Protocol (OCPP) used by thousands of charging stations worldwide.

The advisory warns that EVoke’s CSMS “can accept WebSocket connections from charging stations without sufficiently authenticating them,” effectively opening the door for malicious actors to spoof legitimate chargers and inject fraudulent messages into the management network. This type of weakness is especially dangerous in critical infrastructure, where EV charging networks are increasingly integrated with grid management and energy distribution systems.

The Vulnerability: OCPP WebSocket Authentication Bypass

At the heart of the issue is the OCPP protocol, which enables communication between charging stations and central management systems. OCPP relies heavily on WebSocket connections for real-time, bidirectional data exchange—covering everything from start/stop charging commands to firmware updates and billing information.

In a properly secured implementation, each charging station must authenticate itself when establishing a WebSocket connection. Common mechanisms include client certificates, cryptographic tokens, or pre-shared keys. Without this step, a central system has no reliable way to verify that an incoming connection actually belongs to a legitimate, trusted charger.

According to CISA’s advisory, EVoke Systems’ CSMS fails to enforce adequate authentication for these WebSocket connections. As a result, an attacker with network access to the CSMS endpoint can simply open a WebSocket connection and present themselves as a valid charging station. Once connected, they can send fraudulent OCPP messages—spoofing heartbeats, meter values, charging sessions, and even error conditions.

This is not a theoretical risk. In recent years, researchers have demonstrated how OCPP-based attacks can be used to stop vehicles from charging, manipulate metering data to steal electricity, or overload local transformers by coordinating fake high-power requests. The lack of robust authentication amplifies all of these threats.

Real-World Impact: From Financial Fraud to Grid Instability

Attack scenarios made possible by this flaw range from simple nuisance attacks to serious disruptions of critical infrastructure. For instance, an attacker could:

  • Spoof charging sessions to fraudulently bill customers or steal electricity.
  • Inject false meter values to underreport energy consumption or trigger incorrect demand forecasts.
  • Send unauthorized stop/start commands to disrupt EV drivers’ charging schedules.
  • Overwhelm the CSMS with fake charger connections, causing a denial-of-service condition that blinds operators to legitimate events.
  • Coordinate fake high-power requests across multiple emulated chargers to destabilize the local power grid, especially in areas with high EV penetration.

Because EVoke’s CSMS likely serves multiple charging site operators, a successful spoofing attack could ripple across many locations simultaneously. The advisory does not specify how many installations are affected, but given the growing adoption of EV infrastructure, even a modest market share translates to thousands of potential targets.

OCPP Security: Known Gaps and Industry Blind Spots

OCPP has long faced scrutiny for its optional security measures. While later versions (such as OCPP 2.0.1) introduced mandatory secure profiles that require TLS and strong authentication, many real-world deployments still rely on older versions or bypass security configurations for ease of setup. EVoke Systems’ CSMS appears to fall into this category, neglecting to enforce authentication checks at the application layer even if transport-level encryption is present.

Security researchers have repeatedly highlighted that OCPP’s reliance on JSON over WebSockets can create a false sense of security if implementers treat WebSocket connections as inherently trusted. The protocol itself does not prescribe a specific authentication method, leaving it to each vendor to design and enforce a robust mechanism. Without it, the system is vulnerable to exactly the kind of spoofing described in the CISA advisory.

“OCPP is like any other IoT protocol—if you don’t lock down who can talk to your server, you’re inviting trouble,” said Dr. Elena Torres, an independent ICS security consultant familiar with EV infrastructure. “The fact that a CSMS would accept unauthenticated connections in a production environment is alarming, especially given how much trust we place in these systems for billing and grid management.”

Affected Systems and Mitigation

CISA’s advisory specifically names EVoke Systems’ Charging Station Management System, though exact version numbers and build details were not immediately available at the time of reporting. The vendor has reportedly been notified and is working on a patch. In the interim, CISA recommends that operators of EVoke-based infrastructure immediately review their network configurations and apply compensating controls.

Recommended mitigation steps include:

  • Enforce mutual TLS (mTLS) authentication for all WebSocket connections, requiring both the client (charger) and server to present certificates.
  • Implement WebSocket-level authentication tokens that are validated on every connection request, using mechanisms like OAuth2 or vendor-specific tokens.
  • Segment the CSMS network from the internet and limit exposure to only trusted IP ranges, ideally via VPN or private circuits.
  • Deploy an application firewall that can inspect OCPP messages and block anomalous or unauthorized connections.
  • Monitor logs for unexpected WebSocket connection attempts, particularly from IP addresses not associated with known chargers.

For charge point operators who cannot implement these controls immediately, network segmentation and strict access control lists offer the most practical short-term defense. However, no network-level measure can substitute for proper application-layer authentication.

The Broader Context: EV Charging Security Under Scrutiny

This advisory arrives as governments and private sector entities invest billions into expanding EV charging infrastructure. In the U.S., the National Electric Vehicle Infrastructure (NEVI) program and various state-level initiatives are deploying thousands of new public chargers, often with interconnected management systems that aggregate data for payments, maintenance, and grid coordination.

Such systems have increasingly attracted the attention of both cybersecurity researchers and malicious actors. Past incidents include ransomware attacks against individual charging networks, vulnerabilities in charger firmware that allowed remote code execution, and proof-of-concept demonstrations of how compromised chargers could destabilize local power grids through coordinated rapid cycling.

The EVoke Systems flaw is emblematic of a recurring problem: the rush to expand EV infrastructure often outpaces security hardening. Many charging station manufacturers and CSMS vendors prioritize interoperability and ease of deployment over robust security, leaving gaps that can be exploited even by low-skilled attackers.

“The EV charging ecosystem is still maturing from a security standpoint,” said Marcus Chen, senior threat analyst at GridSecure, a firm specializing in energy-sector cybersecurity. “We’re seeing a lot of the same mistakes that plagued early IoT deployments—hardcoded credentials, missing authentication, and overly permissive network services. Until the industry adopts mandatory security baselines, these advisories will keep coming.”

What Operators Should Do Now

For organizations relying on EVoke Systems’ CSMS, immediate action is essential. Even before a vendor patch is released, operators should:

  1. Audit existing WebSocket connections to identify any that lack mutual authentication or originate from unexpected sources.
  2. Implement strict firewall rules that only allow WebSocket traffic from known charger IP addresses or network segments.
  3. Deploy an intrusion detection system (IDS) tuned to OCPP traffic patterns, alerting on anomalous connection attempts.
  4. Review the CISA advisory for updated mitigation guidance as more details emerge.
  5. Engage with the vendor to understand the patch timeline and test any updates in a staging environment before production rollout.

CISA’s advisory also serves as a wake-up call for the broader EV charging industry. Every CSMS vendor should evaluate their OCPP implementation and enforce authentication by default, even if it adds friction to initial setup. As the grid becomes increasingly reliant on smart, connected chargers, the cost of inaction could be measured in both financial losses and public safety risks.

The Road Ahead

CISA’s issuance of a dedicated advisory highlights the growing importance of EV charging infrastructure as a critical asset worthy of federal-level attention. The agency has been steadily expanding its scope to include electric vehicle systems, recognizing that they sit at the intersection of transportation, energy, and information technology.

For EVoke Systems, the severity of this vulnerability will likely accelerate development of stronger authentication features and a security-first design philosophy. For the industry as a whole, it underscores the need for enforceable security standards—perhaps modeled after the payment card industry’s PCI DSS or North American Electric Reliability Corporation’s CIP requirements.

Until such standards are adopted and enforced, the onus remains on individual charge point operators and fleet managers to thoroughly vet the security of their management systems. The EV revolution may be electric, but its security foundation must still be built on cryptographic trust.