CVE-2026-25851 in Chargemap
Summary
by MITRE • 02/27/2026
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/06/2026
This vulnerability resides in the OCPP (Open Charge Point Protocol) WebSocket endpoints where the absence of proper authentication mechanisms creates a critical security gap in electric vehicle charging infrastructure. The flaw allows attackers to establish connections to charging station endpoints without any verification of their identity or authorization status, fundamentally undermining the security model of the charging network. This weakness directly maps to CWE-306, which addresses the improper handling of authentication mechanisms, and represents a significant deviation from the security requirements outlined in the OCPP specification standards that mandate robust authentication for all communication channels.
The technical implementation of this vulnerability enables attackers to perform unauthorized station impersonation by leveraging known or discovered charging station identifiers to connect to the WebSocket endpoint. Once connected, the attacker can issue or receive OCPP commands as if they were a legitimate charging station, effectively bypassing all security controls designed to protect the charging infrastructure. This impersonation capability stems from the lack of authentication checks that should validate the identity of connecting devices before granting access to the communication channel. The absence of any authentication mechanism creates a direct pathway for attackers to manipulate data sent to backend systems, potentially leading to unauthorized control of charging operations and data corruption.
The operational impact of this vulnerability extends far beyond simple unauthorized access, creating opportunities for privilege escalation and complete control over charging infrastructure. Attackers can manipulate charging sessions, alter billing information, disrupt service availability, and potentially cause physical damage to charging equipment through malicious command execution. The vulnerability enables unauthorized control of charging infrastructure because the system cannot distinguish between legitimate and malicious connections, allowing attackers to send commands that modify charging parameters, access billing data, or even disable charging stations. This represents a significant threat to the integrity and availability of charging networks, potentially affecting thousands of charging stations and their associated users.
Mitigation strategies must address the fundamental lack of authentication by implementing robust authentication mechanisms for all OCPP WebSocket endpoints. Organizations should deploy mutual TLS authentication with certificate-based verification to ensure that only authorized charging stations can connect to the backend systems. The implementation should include proper certificate management processes and regular certificate rotation to maintain security effectiveness. Additionally, network segmentation and access control lists should be deployed to limit connectivity to WebSocket endpoints only from trusted network segments. This vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and T1566 which covers credential harvesting, making it critical to implement proper authentication controls and monitor for unauthorized access attempts. The solution must also include comprehensive logging and monitoring capabilities to detect suspicious connection patterns and unauthorized command execution attempts that could indicate exploitation of this vulnerability.