ePower.ie CVE-2026-22552
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
AnalysisAI
Unauthenticated remote attackers can impersonate electric vehicle charging stations in ePower.ie by connecting to exposed OCPP WebSocket endpoints without credentials. Using any known or guessed charging station identifier, attackers gain full control to issue fraudulent charging commands, manipulate billing data, and corrupt network telemetry sent to backend systems. CISA ICS-CERT published an advisory (ICSA-26-062-07) indicating industrial control system exposure. EPSS score of 0.12% (31st percentile) suggests low automated exploitation probability despite 9.3 CVSS, though the authentication bypass affects critical electric vehicle charging infrastructure.
Technical ContextAI
The vulnerability affects ePower.ie's implementation of the Open Charge Point Protocol (OCPP), an industry-standard WebSocket-based protocol for communication between electric vehicle charging stations and central management systems. OCPP endpoints typically operate on port 80/443 with WebSocket upgrade requests and require station identifiers for message routing. The root cause is CWE-306 (Missing Authentication for Critical Function) - the WebSocket endpoint accepts OCPP connections without validating that the connecting client possesses credentials proving ownership of the claimed charging station identifier. The CVSS 4.0 vector (AV:N/AC:L/PR:N) confirms network-accessible exploitation requiring no authentication or complex preparation, with high confidentiality and integrity impact but only low availability impact.
RemediationAI
Consult the CISA ICS advisory (ICSA-26-062-07) at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-07 and vendor support page at https://epower.ie/support/ for patch availability and specific fixed versions - patch version not independently confirmed from available data. Primary mitigation: implement network-level access controls to restrict OCPP WebSocket endpoints (typically TCP 80/443 with WebSocket upgrade) to known charging station IP addresses or VPN-connected devices only, using firewall rules or reverse proxy authentication. This prevents unauthorized internet-based connections but requires maintaining an IP allowlist and may complicate mobile charging station deployments. Secondary mitigation: deploy TLS client certificate authentication at the WebSocket layer, requiring each charging station to present a valid certificate during connection establishment. This provides cryptographic station identity verification but necessitates certificate lifecycle management (issuance, rotation, revocation) across the charging fleet. If implementing client certificates, ensure certificate validation occurs before accepting any OCPP messages. Temporary workaround if patching is delayed: enable connection logging and implement anomaly detection for unusual station identifiers, connection patterns from unexpected geographic locations, or commands inconsistent with station physical capabilities, though this is detective rather than preventive.
Denial-of-service and credential brute-forcing vulnerabilities in ePower.ie's WebSocket API allow remote unauthenticated
WebSocket session handling in charging station backends accepts duplicate session identifiers, allowing attackers to hij
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today