IM
IronMonkey Threat Research
‹ Back to ICS Advisories

Hydro-Québec Le Circuit Electrique charging station backend

CRITICAL
CVSS 9.8
Date 2026-07-07T06:00:00+00:00
Source cisa-csaf
Published by CISA

// Description

Successful exploitation of these vulnerabilities could lead to privilege escalation, or result in a denial-of-service attack.

// Vulnerabilities (3)

CVE ID CVSS Score Severity Description
CVE-2026-44383 7.5 high
Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.
CVE-2026-20744 9.8 critical
The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation.
CVE-2026-42952 7.5 high
Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a Denial-of-Service attack.

// Remediations (1)

Mitigation: Hydro-Québec has updated the majority of charging stations to disable OCPP, mitigating the risk of e
Hydro-Québec has updated the majority of charging stations to disable OCPP, mitigating the risk of exploitation. Hydro-Québec has also implemented authentication systems to mitigate the issue for certain charging stations which are still reliant on OCPP. Contact Hydro-Québec with any additional questions.

// References