Description
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Published: 2026-03-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential disclosure through publicly exposed authentication identifiers
Action: Replace
AI Analysis

Impact

This vulnerability allows an attacker to obtain charging station authentication identifiers that are publicly accessible via web-based mapping platforms. Because these credentials are not adequately protected, an adversary could gain unauthorized access to station controls or services. The weakness corresponds to CWE-522, which involves insufficient protection of credentials during storage or transmission, potentially compromising confidentiality of user data and device access. Affected systems

Affected Systems

The CTEK Chargeportal product is impacted. No specific version information is provided, so all current releases are considered potentially vulnerable. The product will be sunset in April 2026, after which support will cease. Risk and exploitability

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is remote via the publicly available web interface; this inference comes from the description of credential exposure on web-based mapping platforms. Given the product’s planned discontinuation, the window for exploitation may be limited, but the potential impact remains significant for any remaining installations.

Generated by OpenCVE AI on March 21, 2026 at 06:44 UTC.

Remediation

Vendor Workaround

CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information  https://www.ctek.com/support .

OpenCVE Recommended Actions

  • Contact CTEK to confirm the product‑sunsetting timeline and discuss removal options
  • Replace CTEK Chargeportal with a supported alternative before April 2026
  • Audit any remaining credential storage and apply appropriate access controls
  • Monitor logs for unauthorized access attempts and patch or disable exposed endpoints as soon as possible

Generated by OpenCVE AI on March 21, 2026 at 06:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Ctek
Ctek chargeportal
Vendors & Products Ctek
Ctek chargeportal

Fri, 20 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Title CTEK Chargeportal Insufficiently Protected Credentials
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ctek Chargeportal
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-23T14:18:21.698Z

Reserved: 2026-03-12T16:52:46.534Z

Link: CVE-2026-28204

cve-icon Vulnrichment

Updated: 2026-03-23T14:18:18.768Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T23:16:43.210

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-28204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:05Z

Weaknesses