Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging
infrastructure, and corruption of charging network data reported to the backend.
Published: 2026-03-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Disable
AI Analysis

Impact

A vulnerability in the CTEK Chargeportal’s WebSocket endpoints allows an attacker to connect without authentication. By using a known or discovered charging‑station identifier, an unauthenticated user can impersonate a legitimate station and issue OCPP commands to the backend. The lack of access control permits privilege escalation, unauthorized control of charging infrastructure, and corruption of data that the backend reports. This defect corresponds to CWE-306, reflecting missing authentication.

Affected Systems

The affected product is CTEK Chargeportal. Specific version information is not provided in the public disclosure. The vendor has announced that the product will be sunset in April 2026, indicating that no active maintainer will provide a fix or update for the current release.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, signifying critical impact. Although the EPSS score is not available, the absence of authentication on a network‑exposed WebSocket endpoint strongly suggests a high likelihood of exploitation. The vendor has not listed this issue in the CISA KEV catalog, but the scenario permits remote attackers to execute arbitrary commands, disrupt operations, and manipulate billing or monitoring data. The attack vector is inferred to be remote over the network, requiring only knowledge of a station identifier to take advantage of the vulnerability.

Generated by OpenCVE AI on March 20, 2026 at 23:21 UTC.

Remediation

Vendor Workaround

CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information  https://www.ctek.com/support .

OpenCVE Recommended Actions

  • Disable or remove the Chargeportal from active deployment.
  • Contact CTEK support for end‑of‑life transition and replacement options.
  • Restrict network access to the OCPP WebSocket endpoint to trusted IP ranges.
  • Monitor system logs for suspicious WebSocket connections and OCPP command activity.

Generated by OpenCVE AI on March 20, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Ctek
Ctek chargeportal
Vendors & Products Ctek
Ctek chargeportal

Fri, 20 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Title CTEK Chargeportal Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Ctek Chargeportal
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-23T14:15:57.579Z

Reserved: 2026-03-12T16:52:46.488Z

Link: CVE-2026-25192

cve-icon Vulnrichment

Updated: 2026-03-23T14:15:54.581Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T23:16:42.780

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-25192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:11Z

Weaknesses