CVE-2026-25851

Critical CVSS: 9.3

WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.

Vendor

Chargemap

Product

Chargemap.com

CWE

CWE-306

Yayın Tarihi

2026-02-27 00:16:57

Güncelleme

2026-03-05 21:16:16

Source Identifier

ics-cert@hq.dhs.gov

KEV Date Added

Kategoriler

CWE-306 Chargemap.com CRITICAL Chargemap 2026

Referanslar

https://chargemap.com/en-us/support https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05

Benzer Kayıtlar

Medium

CVE-2026-25711

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to…

Medium

CVE-2026-20791

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

High

CVE-2026-20792

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absen…