Description
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Published: 2026-03-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure for Charging Stations
Action: Apply Patch
AI Analysis

Impact

A flaw exists in the IGL‑Technologies eParking.fi charging‑station software that allows authentication identifiers to be publicly visible through web‑based mapping platforms. This results in the disclosure of credentials which can enable unauthorized access to charging station functions, potentially leading to fraudulent usage, service disruption, or theft of charging data. The weakness is an example of insecure storage or transmission of credentials (CWE‑522).

Affected Systems

The affected product is the IGL‑Technologies eParking.fi OCPP server component. The risk applies to installations using the standard, unencrypted deployment of the servers; encrypted deployments or the proprietary eTolppa protocol are not impacted. No specific version range is supplied, but the advisory indicates that a recent proprietary patch has been issued to address the issue.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity risk. While EPSS data is not provided and the vulnerability is not listed in the CISA KEV catalog, the publicly exposed credentials make exploitation relatively straightforward for an attacker who can discover the mapping platform. The likelihood of exploitation is inferred to be moderate, given that a publicly available credential object can be captured without authentication. The impact is primarily confidentiality breach of credentials, with secondary risks of availability and integrity if the compromised credentials are used to manipulate charging sessions.

Generated by OpenCVE AI on March 21, 2026 at 07:01 UTC.

Remediation

Vendor Solution

IGL-Technologies has updated eParking's OCPP servers to reduce the risks posed by the vulnerability. These updates implemented the following security controls: 1-Enforce modern security profiles and stronger authentication. 2-Device level whitelisting was implemented to ensure authorized devices connect. 3-Rate limiting controls prevent excessive requests and reduces denial-of-service attacks. 4-Enhanced automated monitoring and alerting to detection abnormal network activity.

OpenCVE Recommended Actions

  • Apply the vendor’s latest firmware and security update for eParking.fi OCPP servers.
  • Verify that your deployment uses the encrypted server or the proprietary eTolppa protocol, which are immune to this vulnerability.
  • Restrict public access to mapping platforms that expose charging‑station credentials, or implement authentication and authorization controls for those interfaces.
  • Enable and review automated monitoring and alerting for anomalous network activity to detect potential credential abuse.
  • Schedule regular vulnerability scans of your charging‑station infrastructure to ensure no undiscovered exposures remain.

Generated by OpenCVE AI on March 21, 2026 at 07:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Igl-technologies
Igl-technologies eparking.fi
Vendors & Products Igl-technologies
Igl-technologies eparking.fi

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Title IGL-Technologies eParking.fi Insufficiently Protected Credentials
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Igl-technologies Eparking.fi
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-23T15:56:15.899Z

Reserved: 2026-03-12T20:17:17.790Z

Link: CVE-2026-31926

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T23:16:44.257

Modified: 2026-03-23T16:16:46.783

Link: CVE-2026-31926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:52Z

Weaknesses