Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Published: 2026-03-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized control and manipulation of charging infrastructure
Action: Apply patch
AI Analysis

Impact

The vulnerability is found in ePower's epower.ie WebSocket endpoints, which lack authentication for critical OCPP functions. An attacker can connect to the backend using only a valid or guessed charging station identifier and then issue or intercept OCPP commands as if they were the legitimate charger. This can result in unauthorized control of the charging station, tampering with charging data, and potentially disrupting the charging network.

Affected Systems

The weakness affects ePower:epower.ie devices. No specific firmware or software version is listed on the CNA, so any installation of ePower's epower.ie that includes the vulnerable WebSocket interfaces is susceptible. Organizations should inventory all ePower epower.ie units and verify the presence of this flaw.

Risk and Exploitability

The CVSS score of 9.3 places the issue in the high-impact range. The EPSS score of <1% indicates that active exploitation is currently unlikely, but the lack of authentication renders the impact severe if the attacker can connect to the endpoint. The vulnerability has not yet been listed in the CISA KEV catalog. Attackers would typically target the OCPP WebSocket endpoint over the public or internal network, requiring only the station identifier and network connectivity. No external code execution or elevated privileges outside the charging domain are required, but the ability to issue control commands can lead to significant operational harm.

Generated by OpenCVE AI on April 16, 2026 at 11:52 UTC.

Remediation

Vendor Workaround

ePower did not respond to CISA's request for coordination. Contact ePower using their contact page here: https://epower.ie/support/ for more information.

OpenCVE Recommended Actions

  • Install the latest firmware or software release from ePower that addresses the unauthenticated WebSocket issue. If a specific patch is not yet publicly available, contact ePower's support for a resolution.
  • Restrict inbound traffic to the OCPP WebSocket endpoint, allowing only trusted IP addresses or internal networks, to reduce the attack surface.
  • Log and monitor OCPP traffic for anomalous commands or station identities, and set up alerts for unexpected command patterns.
  • As a temporary mitigation, contact ePower using the support page and request a plan for securing the endpoint until a patch is released.

Generated by OpenCVE AI on April 16, 2026 at 11:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Epower
Epower epower.ie
Vendors & Products Epower
Epower epower.ie

Thu, 05 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Title ePower epower.ie Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Epower Epower.ie
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-09T20:26:16.537Z

Reserved: 2026-02-24T00:23:47.080Z

Link: CVE-2026-22552

cve-icon Vulnrichment

Updated: 2026-03-09T20:26:13.384Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T00:16:10.347

Modified: 2026-03-09T13:36:08.413

Link: CVE-2026-22552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:00:11Z

Weaknesses