Critical Vulnerabilities Discovered in SWITCH EV's swtchenergy Platform

Critical Vulnerabilities Identified in SWITCH EV's swtchenergy Platform

Madrid, Spain – February 27, 2026 – INCIBE-CERT, Spain's national cybersecurity watchdog, has issued an alert regarding multiple vulnerabilities in swtchenergy, a software platform developed by SWITCH EV for electric vehicle (EV) charging infrastructure management. The flaws, if exploited, could pose significant risks to the security and operational integrity of EV charging networks.

Technical Details

While INCIBE-CERT has not yet disclosed the full technical specifics of the vulnerabilities, the advisory indicates that the flaws affect swtchenergy, a critical component in SWITCH EV's ecosystem. Security professionals should note the following:

• The vulnerabilities are classified under multiple CVEs (Common Vulnerabilities and Exposures), though specific IDs have not been released at this time.
• Potential attack vectors may include remote code execution (RCE), privilege escalation, or unauthorized access to sensitive charging infrastructure data.
• The software is widely used in commercial and public EV charging stations, amplifying the potential impact of these vulnerabilities.

INCIBE-CERT's advisory emphasizes the urgency of addressing these flaws, particularly given the growing adoption of EV infrastructure and its increasing integration with smart grid systems.

Impact Analysis

The discovery of these vulnerabilities highlights critical risks for stakeholders in the EV charging ecosystem:

• Operational Disruption: Exploitation could lead to denial-of-service (DoS) attacks, disrupting charging services for consumers and fleet operators.
• Data Breaches: Unauthorized access to swtchenergy could expose user credentials, payment information, or charging patterns, compromising privacy and financial security.
• Grid Vulnerabilities: As EV charging infrastructure becomes more interconnected with energy grids, these flaws could serve as entry points for larger-scale cyberattacks on critical infrastructure.
• Compliance Risks: Organizations using affected versions of swtchenergy may face regulatory penalties under frameworks such as GDPR or NIS2 Directive for failing to secure critical systems.

Recommendations for Security Teams

INCIBE-CERT urges organizations using swtchenergy to take immediate action:

1. Apply Patches: Monitor SWITCH EV’s official channels for security updates and apply patches as soon as they become available.
2. Network Segmentation: Isolate EV charging infrastructure from corporate networks and critical operational systems to limit lateral movement in case of a breach.
3. Access Controls: Enforce multi-factor authentication (MFA) and role-based access controls (RBAC) to minimize unauthorized access to the platform.
4. Monitoring and Logging: Implement real-time monitoring and anomaly detection to identify suspicious activity, such as unusual login attempts or configuration changes.
5. Incident Response Plan: Review and update incident response protocols to include EV charging infrastructure as a critical asset.

Security teams are advised to stay vigilant and prioritize remediation efforts, given the potential for these vulnerabilities to be exploited in targeted attacks. Further details, including CVE IDs and mitigation strategies, are expected to be released by INCIBE-CERT and SWITCH EV in the coming days.

For more information, refer to the original advisory from INCIBE-CERT.