CVE-2026-40702 | WebSocket endpoints lack proper authentication mechanisms, e… | CVSS 9.4 CRITICAL

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.

Metadata

CVE ID: CVE-2026-40702
State: PUBLISHED
Assigner: icscert
Reserved: 2026-06-18 19:23 UTC
Published: 2026-06-25 20:59 UTC
Last updated: 2026-06-25 20:59 UTC
Primary CWE: CWE-306
CWE-306
Vendor / Product: EVoke / EVoke CSMS
Sources: cve.org · NVD

Severity & Metrics

9.4 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Affected products (1)

Vendor	Product	Platform	Versions
EVoke	EVoke CSMS	—	All versions

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	CWE-306

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.4	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References (3)