Skip to main content

ePower.ie CVE-2026-22552

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-03-06 ics-cert@hq.dhs.gov
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 06, 2026 - 14:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 06, 2026 - 14:52 vuln.today
cvss_changed
CVSS changed
May 06, 2026 - 14:52 NVD
9.4 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 00:16 nvd
CRITICAL 9.4

DescriptionCVE.org

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

AnalysisAI

Unauthenticated remote attackers can impersonate electric vehicle charging stations in ePower.ie by connecting to exposed OCPP WebSocket endpoints without credentials. Using any known or guessed charging station identifier, attackers gain full control to issue fraudulent charging commands, manipulate billing data, and corrupt network telemetry sent to backend systems. CISA ICS-CERT published an advisory (ICSA-26-062-07) indicating industrial control system exposure. EPSS score of 0.12% (31st percentile) suggests low automated exploitation probability despite 9.3 CVSS, though the authentication bypass affects critical electric vehicle charging infrastructure.

Technical ContextAI

The vulnerability affects ePower.ie's implementation of the Open Charge Point Protocol (OCPP), an industry-standard WebSocket-based protocol for communication between electric vehicle charging stations and central management systems. OCPP endpoints typically operate on port 80/443 with WebSocket upgrade requests and require station identifiers for message routing. The root cause is CWE-306 (Missing Authentication for Critical Function) - the WebSocket endpoint accepts OCPP connections without validating that the connecting client possesses credentials proving ownership of the claimed charging station identifier. The CVSS 4.0 vector (AV:N/AC:L/PR:N) confirms network-accessible exploitation requiring no authentication or complex preparation, with high confidentiality and integrity impact but only low availability impact.

RemediationAI

Consult the CISA ICS advisory (ICSA-26-062-07) at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-07 and vendor support page at https://epower.ie/support/ for patch availability and specific fixed versions - patch version not independently confirmed from available data. Primary mitigation: implement network-level access controls to restrict OCPP WebSocket endpoints (typically TCP 80/443 with WebSocket upgrade) to known charging station IP addresses or VPN-connected devices only, using firewall rules or reverse proxy authentication. This prevents unauthorized internet-based connections but requires maintaining an IP allowlist and may complicate mobile charging station deployments. Secondary mitigation: deploy TLS client certificate authentication at the WebSocket layer, requiring each charging station to present a valid certificate during connection establishment. This provides cryptographic station identity verification but necessitates certificate lifecycle management (issuance, rotation, revocation) across the charging fleet. If implementing client certificates, ensure certificate validation occurs before accepting any OCPP messages. Temporary workaround if patching is delayed: enable connection logging and implement anomaly detection for unusual station identifiers, connection patterns from unexpected geographic locations, or commands inconsistent with station physical capabilities, though this is detective rather than preventive.

Share

CVE-2026-22552 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy