Cyber Posture

CVE-2026-25851

Critical

Published: 27 February 2026

Published
27 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0020 41.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…

more

or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Mitigating Controls (NIST 800-53 r5)AI

IA-3 Device Identification and Authentication good match
prevent

Requires identification and authentication of charging station devices before establishing WebSocket connections, directly preventing unauthorized impersonation.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations requiring authentication for access to OCPP WebSocket endpoints, blocking unauthenticated connections and data manipulation.

SC-23 Session Authenticity good match
prevent

Protects the authenticity of WebSocket communications sessions, mitigating station impersonation by ensuring only legitimate sessions process OCPP commands.

Security SummaryAI

CVE-2026-25851 involves WebSocket endpoints that lack proper authentication mechanisms, allowing attackers to perform unauthorized station impersonation and manipulate data sent to the backend. This vulnerability affects OCPP WebSocket endpoints used in charging station communications, where no authentication is required for connections. Mapped to CWE-306 (Missing Authentication for Critical Function), it carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) and was published on 2026-02-27.

An unauthenticated attacker can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issuing or receiving OCPP commands as a legitimate charger. Successful exploitation enables privilege escalation, unauthorized control over charging infrastructure, and corruption of charging network data reported to the backend.

CISA has issued ICS Advisory ICSA-26-057-05 addressing this vulnerability, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05, along with a related CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json and Chargemap support documentation at https://chargemap.com/en-us/support. Security practitioners should consult these advisories for mitigation details and patch information.

Details

CWE(s)
CWE-306

Affected Products

chargemap
chargemap.com
all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
attack.mitre.org →
Why these techniques?

Unauthenticated WebSocket endpoints enable exploitation of a public-facing application (T1190), privilege escalation via unauthorized station control (T1068), and impersonation of charging stations using identifiers (T1656).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References