📄 Description (English)
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
🤖 AI Executive Summary
CVE-2026-22890 exposes EV charging station authentication credentials through publicly accessible web-based mapping platforms, affecting EV2GO infrastructure. With a CVSS score of 6.5 and no available patch, this vulnerability allows unauthorized access to charging station management systems. The lack of exploit availability provides a limited window for remediation before potential weaponization.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 12, 2026 09:54
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability directly impacts Saudi Arabia's emerging EV infrastructure, particularly affecting ARAMCO's EV charging networks and private sector operators like ACWA Power's charging initiatives. Government entities managing smart city projects (Vision 2030) and transportation modernization are at risk. Telecom operators (STC, Mobily) providing IoT connectivity to charging stations face secondary exposure. The exposure of authentication credentials could enable unauthorized charging, service disruption, and potential lateral movement into connected smart city infrastructure.
🏢 Affected Saudi Sectors
Energy & Utilities (ARAMCO EV infrastructure)
Government (Vision 2030 smart city initiatives)
Transportation & Logistics
Telecommunications (STC, Mobily IoT connectivity)
Smart City Infrastructure
Private Sector EV Operators
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Audit all EV2GO instances and identify exposed authentication identifiers in web-based mapping platforms
2. Immediately revoke and rotate all exposed API keys, tokens, and authentication credentials
3. Implement access controls restricting mapping platform visibility to authenticated users only
4. Enable multi-factor authentication (MFA) on all charging station management portals
Compensating Controls:
5. Deploy Web Application Firewall (WAF) rules to detect and block unauthorized charging station API access
6. Implement rate limiting on authentication endpoints to prevent brute force attacks
7. Monitor charging station access logs for anomalous authentication patterns
8. Segment charging station networks from public-facing infrastructure
9. Implement IP whitelisting for authorized management access
Detection Rules:
10. Alert on multiple failed authentication attempts to charging station APIs
11. Monitor for credential exposure in public repositories and dark web
12. Track unusual geographic access patterns to charging station management systems
13. Implement SIEM rules for unauthorized API token usage
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع حالات EV2GO وتحديد معرفات المصادقة المكشوفة في منصات رسم الخرائط المستندة إلى الويب
2. إلغاء وتدوير جميع مفاتيح API والرموز بيانات الاعتماد المكشوفة فوراً
3. تطبيق عناصر التحكم في الوصول لتقييد رؤية منصة الرسم الخرائط للمستخدمين المصرح لهم فقط
4. تفعيل المصادقة متعددة العوامل (MFA) على جميع بوابات إدارة محطات الشحن
عناصر التحكم التعويضية:
5. نشر قواعد جدار تطبيقات الويب (WAF) للكشف عن محاولات الوصول غير المصرح به وحجبها
6. تطبيق تحديد معدل على نقاط نهاية المصادقة لمنع هجمات القوة الغاشمة
7. مراقبة سجلات الوصول لمحطات الشحن للكشف عن أنماط المصادقة الشاذة
8. فصل شبكات محطات الشحن عن البنية التحتية المتاحة للعامة
9. تطبيق القائمة البيضاء للعناوين IP للوصول المصرح به للإدارة
قواعد الكشف:
10. تنبيهات محاولات المصادقة الفاشلة المتعددة لواجهات برمجة تطبيقات محطات الشحن
11. مراقبة تسرب بيانات الاعتماد في المستودعات العامة والويب المظلم
12. تتبع أنماط الوصول الجغرافية غير العادية لأنظمة إدارة محطات الشحن
13. تطبيق قواعد SIEM لاستخدام رموز API غير المصرح به
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies
ECC 2024 A.5.2.1 - User Registration and Access Rights Management
ECC 2024 A.5.3.1 - Password Management
ECC 2024 A.8.2.1 - Classification of Information
ECC 2024 A.8.2.3 - Handling of Assets
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management
SAMA CSF PR.AC-1 - Access Control
SAMA CSF PR.AC-2 - Physical and Logical Access Control
SAMA CSF DE.AE-1 - Anomalies and Events Detection
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for Information Security
ISO 27001:2022 A.5.2 - Information Security Roles and Responsibilities
ISO 27001:2022 A.5.3 - Segregation of Duties
ISO 27001:2022 A.8.2 - Asset Management
ISO 27001:2022 A.8.3 - Media Handling
ISO 27001:2022 A.9.1 - Access Control
ISO 27001:2022 A.9.2 - User Access Management
ISO 27001:2022 A.9.4 - Access to Information and Other Associated Assets
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Change default vendor-supplied passwords
PCI DSS 3.2 - Protect stored cardholder data
PCI DSS 7.1 - Limit access to cardholder data by business need to know
PCI DSS 8.1 - Assign unique ID to each person with computer access
🔗 References & Sources 3
🔗
https://ev2go.io/
ics-cert@hq.dhs.gov
Product
🔗
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json
ics-cert@hq.dhs.gov
Third Party Advisory
🔗
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04
ics-cert@hq.dhs.gov
Third Party Advisory
US Government Resource
📦 Affected Products / CPE 1 entries
ev2go:ev2go.io