ctipilot.ch

Hydro-Quebec EV-charging: no auth-attempt throttling -> DoS (CVSS 7.5), ICSA-26-188-01

cve · CVE-2026-42952 single-source-national-cert

Coverage timeline
1
first 2026-07-08 → last 2026-07-08
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-07-08CVE-2026-20744 — Hydro-Québec EV-charging backend: unauthenticated OCPP WebSocket endpoint enables privilege escalation
    trending-vulnerabilitiesCISA ICSA-26-188-01: unauthenticated OCPP WebSocket in an EV-charging backend — a transferable lesson for any charge-point operator

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • cisa.gov1 (50%)
  • raw.githubusercontent.com1 (50%)

Related entities

Entries about Hydro-Quebec EV-charging: no auth-attempt throttling -> DoS (CVSS 7.5), ICSA-26-188-01 (1)

2026-07-08 · view entry permalink →

CVE-2026-20744 — Hydro-Québec EV-charging backend: unauthenticated OCPP WebSocket endpoint enables privilege escalation

CISA published ICS advisory ICSA-26-188-01 for the backend of Hydro-Québec's "Le Circuit Électrique" EV-charging network, disclosing three flaws reported by an anonymous researcher (CISA, 2026-07-07). The headline flaw, CVE-2026-20744 (CVSS v3.1 9.8, CWE-284 Improper Access Control), is in the charging-station WebSocket endpoint that speaks OCPP (Open Charge Point Protocol, the industry-standard charge-point-to-backend management protocol): the endpoint accepts connections with no authentication, letting a remote unauthenticated actor escalate privileges against the backend (T1190). Two companion flaws compound the exposure — CVE-2026-42952 (CVSS 7.5, CWE-307, no throttling on repeated authentication attempts → brute-force/DoS) and CVE-2026-44383 (CVSS 7.5, CWE-613, the backend allows multiple simultaneous connections under the same charging-station identifier, enabling session-exhaustion DoS via duplicate OCPP clients). There is no version-numbered software patch; Hydro-Québec's remediation is operational — OCPP has been disabled on most charging stations and authentication added for the remainder still using it — and CISA reports no known public exploitation (CISA CSAF, 2026-07-07). Defender takeaway: the advisory scopes to a single Canadian operator, but the underlying weakness class — an unauthenticated OCPP WebSocket management channel — is a protocol-implementation pattern relevant to every EV-charging network operator, and OCPP is the near-universal charge-point management standard across Swiss/EU public charging infrastructure; the fix is a configuration/security-profile decision (enforce OCPP Security Profile 2/3, one session per charge-point identity), and because the hardware carries no agent, monitoring is necessarily backend/network-telemetry-based.

The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

CISA (ICS Advisory ICSA-26-188-01) 2026-07-07
vulnerability08 Jul 20:35Zsingle-source · national CERTOpen finding ↗