Description
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Published: 2026-03-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking and denial of service on eParking OCPP server
Action: Patch immediately
AI Analysis

Impact

The WebSocket backend associates charging station identifiers with sessions but permits multiple endpoints to use the same session identifier, creating a predictable scheme that enables session hijacking or shadowing. An attacker can displace a legitimate station and issue backend commands intended for that station, or flood the backend with valid session requests to cause a denial‑of‑service condition.

Affected Systems

This flaw affects IGL‑Technologies eParking.fi devices that run the unencrypted deployment of their OCPP servers. Devices using the encrypted deployment or IGL‑Technologies’ proprietary eTolppa protocol are not impacted. No specific version information is provided.

Risk and Exploitability

With a CVSS score of 6.9 the flaw is of moderate severity. EPSS data is not available and it is not listed in the CISA KEV catalog, which suggests a lower likelihood of widespread exploitation yet still warrants attention. An attacker with network access to the WebSocket interface could predict or guess a session identifier, hijack or shadow the session, and gain unauthorized control or disrupt service. The vendor’s update introduces modern security profiles, stronger authentication, device‑level whitelisting, rate limiting, and enhanced monitoring to mitigate these risks.

Generated by OpenCVE AI on March 21, 2026 at 08:07 UTC.

Remediation

Vendor Solution

IGL-Technologies has updated eParking's OCPP servers to reduce the risks posed by the vulnerability. These updates implemented the following security controls: 1-Enforce modern security profiles and stronger authentication. 2-Device level whitelisting was implemented to ensure authorized devices connect. 3-Rate limiting controls prevent excessive requests and reduces denial-of-service attacks. 4-Enhanced automated monitoring and alerting to detection abnormal network activity.

OpenCVE Recommended Actions

  • Apply the latest IGL‑Technologies eParking OCPP server update, which enforces modern security profiles and stronger authentication.
  • Enable device‑level whitelisting to allow only authorized charging stations to connect.
  • Configure rate limiting on the WebSocket endpoint to prevent excessive requests.
  • Deploy the encrypted OCPP deployment or switch to the proprietary eTolppa protocol, which are not affected by this vulnerability.
  • Set up automated monitoring and alerting for abnormal network activity to detect potential hijacking attempts.

Generated by OpenCVE AI on March 21, 2026 at 08:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Igl
Igl eparking.fi
CPEs cpe:2.3:a:igl:eparking.fi:-:*:*:*:*:*:*:*
Vendors & Products Igl
Igl eparking.fi

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Igl-technologies
Igl-technologies eparking.fi
Vendors & Products Igl-technologies
Igl-technologies eparking.fi

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Title IGL-Technologies eParking.fi Insufficient Session Expiration
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Igl Eparking.fi
Igl-technologies Eparking.fi
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-23T15:56:21.511Z

Reserved: 2026-03-12T20:17:17.777Z

Link: CVE-2026-32663

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:44.477

Modified: 2026-05-06T18:14:24.580

Link: CVE-2026-32663

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:56Z

Weaknesses