Description
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Assess Impact
AI Analysis

Impact

The vulnerability arises from the WebSocket API of CTEK Chargeportal lacking any restriction on how many authentication attempts can be made. This omission permits an attacker to repeatedly send authentication requests, enabling either brute‑force credential discovery or the suppression of legitimate charger telemetry, resulting in a denial‑of‑service condition for the affected charging infrastructure. The weakness is classified as CWE‑307: Authentication Bypass Through Excessive Login Attempts.

Affected Systems

The issue affects the CTEK Chargeportal product. No specific version information is supplied, so all installations of this product are potentially impacted until the service is sunset.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, yet the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires network access to the WebSocket endpoint; no special authentication or privileged access is needed beyond the public interface. An attacker could simply flood the endpoint with login requests, causing service disruption or credential compromise for legitimate users. Because the product is slated for retirement, the long‑term risk to new deployments may be mitigated, but existing installations remain at high risk until appropriate controls are applied.

Generated by OpenCVE AI on March 21, 2026 at 07:05 UTC.

Remediation

Vendor Workaround

CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information  https://www.ctek.com/support .

OpenCVE Recommended Actions

  • Contact CTEK for guidance on the sunset transition and any interim security guidance
  • Restrict access to the Chargeportal WebSocket endpoint to authorized devices using firewall or VLAN rules
  • Implement rate limiting or throttling on the WebSocket service at the network or application layer
  • Monitor authentication logs for suspicious or repetitive authentication attempts

Generated by OpenCVE AI on March 21, 2026 at 07:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Ctek
Ctek chargeportal
Vendors & Products Ctek
Ctek chargeportal

Fri, 20 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
Title CTEK Chargeportal Improper Restriction of Excessive Authentication Attempts
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ctek Chargeportal
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-23T14:16:28.724Z

Reserved: 2026-03-12T16:52:46.513Z

Link: CVE-2026-31904

cve-icon Vulnrichment

Updated: 2026-03-23T14:16:25.878Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T23:16:44.060

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-31904

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:09Z

Weaknesses