CVE-2026-27767 — CRITICAL (9.4)

Vulnerability Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CVSS Score

9.4

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Swtchenergy	Swtchenergy.Com	All versions

Related Weaknesses (CWE)

CWE-306

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05Third Party Advisory
https://swtchenergy.com/contact/Product
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2026-27767?

CVE-2026-27767 is a vulnerability with a CVSS score of 9.4 (CRITICAL). WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can c...

How severe is CVE-2026-27767?

CVE-2026-27767 has been rated CRITICAL with a CVSS base score of 9.4/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-27767?

Check the references section above for vendor advisories and patch information. Affected products include: Swtchenergy Swtchenergy.Com.