CVE-2026-25192 in Chargeportal
Summary
by MITRE • 03/21/2026
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/07/2026
This vulnerability exists within WebSocket endpoints that serve as communication channels for charging stations in electric vehicle infrastructure systems. The flaw stems from the absence of proper authentication mechanisms that should validate the identity of connecting devices before granting access to backend systems. The OCPP (Open Charge Point Protocol) WebSocket endpoints specifically lack any form of authentication checks, creating a critical security gap that allows attackers to exploit the communication channel without proper authorization.
The technical implementation of this vulnerability allows unauthenticated attackers to establish WebSocket connections to charging station endpoints by simply knowing or discovering valid charging station identifiers. This represents a fundamental failure in the security architecture where device identity verification is completely absent from the connection process. The attacker can leverage this weakness to impersonate legitimate charging stations and execute OCPP commands as if they were authorized devices, effectively bypassing all device authentication controls that should normally be in place.
From an operational perspective, this vulnerability creates severe risks for charging network infrastructure and data integrity. The lack of authentication mechanisms enables attackers to perform unauthorized station impersonation, which can result in privilege escalation within the charging network. This allows malicious actors to gain control over charging infrastructure, manipulate charging sessions, and corrupt data reported to backend systems. The impact extends beyond simple unauthorized access to include potential financial losses, service disruption, and compromise of network-wide charging operations.
The vulnerability aligns with CWE-306 (Missing Authentication for Critical Function) and represents a critical failure in the principle of least privilege within the charging infrastructure security model. This weakness can be exploited through techniques described in the MITRE ATT&CK framework under T1078 (Valid Accounts) and T1566 (Phishing for Information) where attackers can leverage stolen or guessed charging station identifiers to gain unauthorized access. The attack surface is particularly concerning in enterprise charging networks where multiple stations communicate with centralized backend systems, as a single compromised endpoint could potentially allow attackers to control multiple charging stations simultaneously.
Mitigation strategies should include implementing robust authentication mechanisms for all WebSocket endpoints, requiring either certificate-based authentication or token-based validation before establishing connections. Network segmentation and monitoring should be implemented to detect unauthorized connection attempts and anomalous command sequences. Additionally, charging station identifiers should be dynamically generated and regularly rotated to minimize the risk of successful impersonation attacks. The implementation of proper access control lists and device registration processes would further strengthen the security posture against this specific vulnerability.