CVE-2026-22100 in DC-80
Summary
by MITRE • 07/13/2026
The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/13/2026
The vulnerability in the OCPP DataTransfer message ReserveLogin represents a critical command injection flaw that exposes charging station infrastructure to severe operational risks. This vulnerability exists within the Open Charge Point Protocol implementation where the system fails to properly sanitize user input before processing it within system commands. The flaw allows an attacker to inject malicious commands through the data parameter of the ReserveLogin message, effectively bypassing normal authentication and authorization controls. The attack vector leverages the trust relationship between the charging station and the central management system, where legitimate communication channels become pathways for unauthorized command execution.
The technical implementation of this vulnerability stems from improper input validation and command construction practices within the OCPP protocol handler. When the ReserveLogin message is processed, the system directly incorporates user-supplied data into shell commands without adequate sanitization or parameter escaping mechanisms. This design flaw aligns with CWE-78 which specifically addresses OS Command Injection vulnerabilities, where untrusted data is concatenated into system commands without proper encoding or validation. The vulnerability can be exploited by crafting malicious payloads that include shell metacharacters such as semicolons, pipes, or backticks, which are then interpreted by the underlying operating system. The fact that commands execute with root privileges indicates a privilege escalation issue where the charging station's service account operates with elevated permissions.
The operational impact of this vulnerability extends beyond simple command execution to encompass complete system compromise and potential infrastructure disruption. An attacker who successfully exploits this vulnerability can gain full control over the charging station's operating system, including access to sensitive data, network configuration, and potentially other connected systems within the facility. The implications are particularly severe for organizations relying on OCPP-compliant charging infrastructure as these stations often serve as critical points in electric vehicle charging networks. The vulnerability affects not only individual charging stations but can also compromise the entire charging network if multiple stations share similar implementations. Additionally, the persistence of command injection attacks means that attackers can establish backdoors or maintain access even after initial exploitation attempts.
Mitigation strategies for this vulnerability require immediate implementation of input validation and sanitization mechanisms throughout the OCPP protocol processing stack. Organizations should implement strict parameter validation that rejects any input containing potentially dangerous characters or sequences that could be interpreted as shell metacharacters. The recommended approach involves using secure coding practices that avoid direct command construction with user input, instead employing parameterized interfaces or dedicated APIs for system operations. Network segmentation and access controls should be implemented to limit exposure of charging stations to untrusted networks, while regular security audits should verify proper implementation of input sanitization measures. Organizations should also consider implementing monitoring solutions that can detect anomalous command execution patterns and alert administrators to potential exploitation attempts. The vulnerability's classification under CWE-78 and its potential alignment with ATT&CK technique T1059.003 for command and scripting interpreters indicates that defensive measures must address both the immediate code-level fixes and broader operational security controls to prevent successful exploitation and maintain system integrity.