10 Advisories and 3 Updates Published – 2-26-26

Today CISA’s NCCIC-ICS published 10 control system security advisories for products from Copeland, Yokogawa, Mobility46, EV Energy, SWITCH EV, Chargemap, EV2GO, CloudCharge, Pelco, and Johnson Controls. They also published updates for advisories from Honeywell, Schneider Electric, and Hitachi Energy. I also take a down-the-rabbit-hole look at EV charging cybersecurity research.

NOTE: If you are signed up for email notifications from CISA on security advisories you will note that the Yokogawa advisory was not listed in that email (see link above). Not sure why, but it is listed on the CISA ICS-Advisories page.

Copeland Advisory

This advisory describes 23 vulnerabilities in the Copeland XWEB and XWEP Pro plant management software. The vulnerabilities were reported to CISA by Amir Zaltzman and Noam Moshe of Claroty Team82. Copeland has new versions that mitigate the vulnerabilities

NCCIC-ICS reports that successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, cause a denial-of-service condition, cause memory corruption, and execute arbitrary code.

Yokogawa Advisory

This advisory describes six vulnerabilities in the Yokogaw Vnet/IP Interface Package used in their CENTUM VP R6 and R7 products. The vulnerabilities were reported by Dmitry Sklyar and Demid Uzenkov of Positive Technologies. Yokogawa has a new version that mitigates the vulnerabilities.

The six reported vulnerabilities are:

Integer underflow (2) - CVE-2025-1924 and CVE-2025-48021,

Reachable assertion (3) - CVE-2025-48019, CVE-2025-48020, and CVE-2025-48023, and

Improper handling of length parameter inconsistency - CVE-2025-48022.

NCCIC-ICS reports that successful exploitation of these vulnerabilities could allow an attacker to terminate the software stack process, cause a denial-of-service condition, or execute arbitrary code.

NOTE: I briefly discussed these vulnerabilities on February 15^th, 2026.

Mobility46 Advisory

This advisory describes four vulnerabilities in the Mobility46 mobility46.se digital parking management and EV charging solution. The vulnerabilities were reported to CISA by Khaled Sarieddine and Mohammad Ali Sayed. CISA notes that: “Mobility46 did not respond to CISA’s request for coordination.”

The four reported vulnerabilities are:

Insufficiently protected credentials - CVE-2026-22878,

Insufficient session expiration - CVE-2026-27647,

Improper restriction of excessive authentication attempts - CVE-2026-26305, and

Missing authentication for critical function - CVE-2026-27028

EV Energy Advisory

This advisory describes four vulnerabilities in the EV Energy ev.energy EV charging management solution. The vulnerabilities were reported to CISA by Khaled Sarieddine and Mohammad Ali Sayed. CISA notes that: “EV Energy did not respond to CISA’s request for coordination.”

The four reported vulnerabilities are:

Insufficiently protected credentials - CVE-2026-25774,

Insufficient session expiration - CVE-2026-26290,

Improper restriction of excessive authentication attempts - CVE-2026-24445, and

Missing authentication for critical function - CVE-2026-27772.

NCCIC-ICS reports that successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks.

SWITCH EV Advisory

This advisory describes four vulnerabilities in the SWITCH EV SwitchEnergy.com multiple EV charging systems management. The vulnerabilities were reported to CISA by Khaled Sarieddine and Mohammad Ali Sayed. CISA notes that: “SWITCH EV did not respond to CISA’s request for coordination.”

The four reported vulnerabilities are:

Insufficiently protected credentials - CVE-2026-27773,

Insufficient session expiration - CVE-2026-25778,

Improper restriction of excessive authentication attempts - CVE-2026-25113, and

Missing authentication for critical function - CVE-2026-27767.

NCCIC-ICS reports that successful of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend.

Chargemap Advisory

This advisory describes four vulnerabilities in the Chargemap Chargemap.com EV fleet charging management. The vulnerabilities were reported to CISA by Khaled Sarieddine and Mohammad Ali Sayed. CISA notes that: “Chargemap did not respond to CISA’s request for coordination.”

The four reported vulnerabilities are:

Insufficiently protected credentials - CVE-2026-20791,

Insufficient session expiration - CVE-2026-25711,

Improper restriction of excessive authentication attempts - CVE-2026-20792,

Missing authentication for critical function - CVE-2026-25851

NCCIC-ICS reports that successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks.

EV2GO Advisory

This advisory describes four vulnerabilities in the EV2GO ev2go.io charging infrastructure management. The vulnerabilities were reported to CISA by Khaled Sarieddine and Mohammad Ali Sayed. CISA notes that: “EV2GO did not respond to CISA’s request for coordination.”

The four reported vulnerabilities are:

Insufficiently protected credentials - CVE-2026-22890,

Insufficient session expiration - CVE-2026-20895,

Iproper restriction of excessive authentication attempts - CVE-2026-25945, and

Missing authentication for critical function - CVE-2026-24731.

NCCIC-ICS reports that successful exploitation of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend.

CloudCharge Advisory

This advisory describes four vulnerabilities in the CloudCharge cloudcharge.se charging facility management. The vulnerabilities were reported to CISA by Khaled Sarieddine and Mohammad Ali Sayed. CISA notes that: “CloudCharge did not respond to CISA’s request for coordination.”

The four reported vulnerabilities are:

Insufficiently protected credentials - CVE-2026-20733,

Insufficient session expiration - CVE-2026-27652,

Improper restriction of excessive authentication attempts - CVE-2026-25114, and

Missing authentication for critical function - CVE-2026-20781

NCCIC-ICS reports that successful exploitation of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend.

Pelco Advisory

This advisory describes an authentication bypass using an alternate path or channel vulnerability in the Pelco Sarix Pro 3 Series IP Cameras. The vulnerability was reported to CISA by Souvik Kandar. Pelco has a new firmware version that mitigates the vulnerability.

NCCIC-ICS reports that successful exploitation of this vulnerability could allow attackers to gain unauthorized access to sensitive device data, bypass surveillance controls, and expose facilities to privacy breaches, operational risks, and regulatory compliance issues.

Johnson Controls Advisory

This advisory describes six vulnerabilities in the Johnson Controls Frick Controls Quantum HD compressor control panel. The vulnerabilities were reported by Noam Moshe of Claroty Research Team 82. The affected versions are end-of-life, so Johnson Controls recommends upgrading to v12 or higher.

The six reported vulnerabilities are:

Plain text storage of password - CVE-2026-21660,

Relative path traversal - CVE-2026-21659,

Code injection (3) - CVE-2026-21658, CVE-2026-21657, and CVE-2026-21656, and

OS command injection - CVE-2026-21654

Honeywell Update

This update provides additional information on the HIB2PI and HDZ Series CCTV Cameras advisory that was originally published on February 17^th, 2026. The new information includes updating affected products, deployed locations, and headquarters location.

Schneider Update

This update provides additional information on the EcoStruxure Power Operation advisory that was originally published on July 22^nd, 2025. The new information includes announcing that remediations are available for EcoStruxure Power Operation 2022.

NOTE: I briefly discussed this new information on February 15^th, 2026.

Hitachi Energy Update

This update provides additional information on the Relion 670/650/SAM600-IO Series advisory that was originally published on May 13^th, 2025, and most recently updated on June 5^th, 2025. The new information includes updating Recommended Actions table with fixed version 2.2.1.9. The dates above are the dates CISA’s advisory and update were published. CISA is reporting the dates of the Hitachi Energy advisory and updates.

NOTE: I briefly mentioned the Hitachi Energy update on February 1^st, 2026.

DTRH EV Charging Vulnerabilities

Earlier this year Khaled Sarieddine and Mohammad Ali Sayed of Concordia University published a paper on “Plug and prey: Exploiting design flaws to hijack EV charging stations”. It looks at six unnamed EV charging management products, identifying common design flaws that leave the systems vulnerable to cyberattack. I suspect that we now know which six products were investigated.

I do not know which is more concerning, that all six products had similar critical vulnerabilities, or that none of the vendors have responded to CISA’s coordination efforts. With the information available in these advisories, it could easily be that all six vendors are using the same software.

The non-cooperation issue may be the more serious issue. If, as I suspect, these foreign companies are avoiding cooperation with CISA because it is part of the current US administration, that presages a much more serious problem for the future of international cooperation with respect to cybersecurity issues. One would like to think that such coordination would be apolitical, but this Administration has made it perfectly clear to the world at large that nothing is apolitical in their view.