Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Published: 2026-03-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Control of Charging Infrastructure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the WebSocket endpoints of IGL‑Technologies eParking.fi’s OCPP servers. Without proper authentication, an unauthenticated attacker can connect to the exposed endpoint using a known charging station identifier. This allows the attacker to issue or intercept OCPP commands as if they were a legitimate charger, enabling them to manipulate charging data, alter state, or disrupt service. The consequence is privilege escalation against the charging network, potentially causing unauthorized control of infrastructure and corruption of data reported to the backend.

Affected Systems

Affected products belong to IGL‑Technologies: the eParking.fi platform, specifically the OCPP servers that expose WebSocket endpoints. Versions before the vendor’s updated release, which added security controls, are impacted. Devices that deploy the encrypted eParking OCPP servers or use IGL’s proprietary eTolppa protocol are not affected, as the vulnerability targets only the plain OCPP WebSocket interface.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity vulnerability. No EPSS score is available, and the issue has not been listed in the CISA KEV catalog. Attackers can exploit this flaw remotely by simply opening a WebSocket connection to the server, requiring no credentials. Because the attack path is straightforward and the scope covers the entire charging network, the risk remains high. The vendor has released a patch that mitigates the issue, but until it is applied the vulnerability remains fully exploitable.

Generated by OpenCVE AI on March 21, 2026 at 06:43 UTC.

Remediation

Vendor Solution

IGL-Technologies has updated eParking's OCPP servers to reduce the risks posed by the vulnerability. These updates implemented the following security controls: 1-Enforce modern security profiles and stronger authentication. 2-Device level whitelisting was implemented to ensure authorized devices connect. 3-Rate limiting controls prevent excessive requests and reduces denial-of-service attacks. 4-Enhanced automated monitoring and alerting to detection abnormal network activity. Devices using the encrypted deployment of eParking's OCPP servers or IGL-Technologies proprietary eTolppa protocol are not impacted by these vulnerabilities.

OpenCVE Recommended Actions

  • Apply the IGL‑Technologies update to eParking’s OCPP servers, which enables modern security profiles and stronger authentication.
  • Verify that the WebSocket endpoints now require authentication and that only authorized charging stations can connect.
  • Disable or isolate the eTolppa protocol if not required, as it remains unaffected by this vulnerability.
  • Implement device‑level whitelisting to restrict access to approved charging stations.
  • Enable rate limiting to protect against excessive request volume.
  • Monitor network traffic for abnormal activity and set alerts on suspicious connections.

Generated by OpenCVE AI on March 21, 2026 at 06:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Igl-technologies
Igl-technologies eparking.fi
Vendors & Products Igl-technologies
Igl-technologies eparking.fi

Fri, 20 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Title IGL-Technologies eParking.fi Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Igl-technologies Eparking.fi
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-23T14:29:03.578Z

Reserved: 2026-03-12T20:17:17.751Z

Link: CVE-2026-29796

cve-icon Vulnrichment

Updated: 2026-03-23T14:28:51.911Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T23:16:43.410

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-29796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:00Z

Weaknesses