Description
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
Published: 2026-02-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Control of Charging Infrastructure
Action: Apply Mitigation
AI Analysis

Impact

The vulnerability exposes WebSocket endpoints that handle OCPP commands without any authentication. Attackers can connect to the endpoint with a valid or guessed charger identifier and send or receive commands as if they were an authentic station. This permits privilege escalation, allowing an unauthenticated user to issue control commands to charging infrastructure, disrupt service, or alter data that the backend records.

Affected Systems

The affected product is Chargemap’s chargemap.com platform, specifically the WebSocket interfaces used by OCPP charging stations. Version information is not provided; therefore the vulnerability may affect all existing deployments of the platform until a fix is released.

Risk and Exploitability

The CVSS score of 9.3 indicates high severity, but the EPSS score of less than 1% suggests that exploitation is currently rare or not widely observed. The lack of authentication removes the need for credential theft, making the attack straightforward for anyone who can reach the public WebSocket endpoint. Because the vulnerability is not listed in the CISA KEV catalog, no publicly known exploit code is available yet, yet the potential for widespread disruption remains high.

Generated by OpenCVE AI on April 16, 2026 at 15:54 UTC.

Remediation

Vendor Workaround

Chargemap did not respond to CISA's request for coordination. Contact Chargemap using their contact page here: https://chargemap.com/en-us/support for more information.

OpenCVE Recommended Actions

  • Apply any available vendor patch or update to ensure proper authentication on the OCPP WebSocket endpoint.
  • Restrict access to the charging station WebSocket endpoint using network segmentation or firewall rules so that only trusted network hosts can reach it.
  • Enforce authentication for WebSocket connections, for example by requiring tokens or certificates before allowing OCPP messages.
  • Monitor and audit OCPP command traffic for unexpected patterns or unauthorized commands, and set alerts for anomalous activity.
  • Contact Chargemap support via their provided contact page to request a specific fix or temporary workaround.

Generated by OpenCVE AI on April 16, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chargemap:chargemap.com:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Chargemap
Chargemap chargemap.com
Vendors & Products Chargemap
Chargemap chargemap.com

Thu, 26 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Title Chargemap chargemap.com Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Chargemap Chargemap.com
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-05T20:34:08.453Z

Reserved: 2026-02-20T18:28:15.424Z

Link: CVE-2026-25851

cve-icon Vulnrichment

Updated: 2026-03-02T20:41:05.498Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T00:16:57.550

Modified: 2026-03-05T21:16:16.600

Link: CVE-2026-25851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses