ctipilot.ch
← Back to the live brief
NOTABLECVE-2026-20744 +2vulnerability

CVE-2026-20744 — Hydro-Québec EV-charging backend: unauthenticated OCPP WebSocket endpoint enables privilege escalation

discovered 2026-07-08 20:35 UTCrun 2026-07-08T2009Z-intel2 sourcessingle-source · national CERT

CISA published ICS advisory ICSA-26-188-01 for the backend of Hydro-Québec's "Le Circuit Électrique" EV-charging network, disclosing three flaws reported by an anonymous researcher (CISA, 2026-07-07). The headline flaw, CVE-2026-20744 (CVSS v3.1 9.8, CWE-284 Improper Access Control), is in the charging-station WebSocket endpoint that speaks OCPP (Open Charge Point Protocol, the industry-standard charge-point-to-backend management protocol): the endpoint accepts connections with no authentication, letting a remote unauthenticated actor escalate privileges against the backend (T1190). Two companion flaws compound the exposure — CVE-2026-42952 (CVSS 7.5, CWE-307, no throttling on repeated authentication attempts → brute-force/DoS) and CVE-2026-44383 (CVSS 7.5, CWE-613, the backend allows multiple simultaneous connections under the same charging-station identifier, enabling session-exhaustion DoS via duplicate OCPP clients). There is no version-numbered software patch; Hydro-Québec's remediation is operational — OCPP has been disabled on most charging stations and authentication added for the remainder still using it — and CISA reports no known public exploitation (CISA CSAF, 2026-07-07). Defender takeaway: the advisory scopes to a single Canadian operator, but the underlying weakness class — an unauthenticated OCPP WebSocket management channel — is a protocol-implementation pattern relevant to every EV-charging network operator, and OCPP is the near-universal charge-point management standard across Swiss/EU public charging infrastructure; the fix is a configuration/security-profile decision (enforce OCPP Security Profile 2/3, one session per charge-point identity), and because the hardware carries no agent, monitoring is necessarily backend/network-telemetry-based.

The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

CISA (ICS Advisory ICSA-26-188-01) 2026-07-07

Defender actions

  • Any OCPP central-system operator: verify the WebSocket upgrade enforces mutual TLS or HTTP Basic Auth per OCPP Security Profile 2/3 rather than accepting unauthenticated ws:// upgrades.
  • Rate-limit repeated OCPP BootNotification/Authorize attempts per source, and reject duplicate concurrent connections claiming the same ChargePointId (closes the session-exhaustion class); since charge-point hardware carries no endpoint agent, detect on backend session-churn/connection-count anomalies per charge-point ID.
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.