Description
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Published: 2026-03-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session Hijacking; Denial of Service
Action: Apply Workaround
AI Analysis

Impact

The CTEK Chargeportal WebSocket backend uses charging station identifiers as session identifiers but allows multiple endpoints to connect with the same identifier. This design flaw makes session IDs predictable and allows an attacker to hijack or shadow an existing session. As a result, authenticating users can be impersonated or overridden, giving the malicious party control over backend commands intended for the legitimate station, and potentially causing a denial‑of‑service condition by flooding the backend with valid session requests. The weakness is a classic example of Inadequate Session Expiration (CWE‑613).

Affected Systems

All deployments of the CTEK Chargeportal product are potentially vulnerable; no specific version information is listed, so any installation remains at risk until remediated.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting that no widespread exploitation has been reported yet. Based on the description, it is inferred that the attack vector is remote via the WebSocket endpoint, requiring only network access to the server to establish a connection and predict or observe a valid session identifier. Successful exploitation could allow an attacker to assume control of a charging station or disrupt backend operations, but it would not grant full system takeover without additional privilege escalation. The overall risk is moderate, pending the availability of a vendor patch or product deprecation plan.

Generated by OpenCVE AI on March 21, 2026 at 07:43 UTC.

Remediation

Vendor Workaround

CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information  https://www.ctek.com/support .

OpenCVE Recommended Actions

  • Contact CTEK support to plan sunsetting of Chargeportal before April 2026 and begin migration to an alternative solution.
  • Disable or shut down any unused charging station endpoints to reduce the number of exposed session identifiers.
  • Isolate the Chargeportal backend behind a segmentation firewall to block external WebSocket access.
  • Monitor WebSocket traffic for repeated or anomalous session ID usage and alert when suspicious activity is detected.
  • Apply any vendor‑issued patches or configuration updates as soon as they become available following the product sunset.
  • Consider adding token‑based authentication to the WebSocket connection as a temporary mitigation if a patch is not forthcoming.

Generated by OpenCVE AI on March 21, 2026 at 07:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ctek charge Portal
CPEs cpe:2.3:a:ctek:charge_portal:-:*:*:*:*:*:*:*
Vendors & Products Ctek charge Portal

Mon, 23 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Ctek
Ctek chargeportal
Vendors & Products Ctek
Ctek chargeportal

Fri, 20 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Title CTEK Chargeportal Insufficient Session Expiration
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Ctek Charge Portal Chargeportal
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-23T14:17:03.447Z

Reserved: 2026-03-12T16:52:46.523Z

Link: CVE-2026-27649

cve-icon Vulnrichment

Updated: 2026-03-23T14:16:56.195Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:43.003

Modified: 2026-05-06T15:16:53.670

Link: CVE-2026-27649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:07Z

Weaknesses