Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
AnalysisAI
Authentication identifiers for electric vehicle charging stations are publicly exposed through web-based mapping platforms, allowing unauthenticated network-based access to sensitive authentication data. The vulnerability affects CTEK ChargePortal and enables attackers to obtain charging station credentials without requiring any privileges or user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | The CVSS 3.1 score of 6.5 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N indicates a medium-severity vulnerability with moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers CTEK charging stations listed on public mapping platforms and extracts exposed authentication identifiers directly from the platform's data or through automated scraping. Using these credentials, the attacker gains unauthorized access to the ChargePortal management interface to monitor charging activity, redirect billing, or disable specific charging stations. … |
| Remediation | Immediately contact CTEK support (https://www.ctek.com/support) to obtain and deploy the latest patched version of ChargePortal that implements proper credential protection and removes authentication identifiers from public mapping platform integration. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Chargeportal
View allCTEK Chargeportal's OCPP WebSocket endpoints accept unauthenticated connections, allowing remote attackers to impersonat
Missing rate limiting in CTEK Chargeportal's WebSocket API enables remote attackers to launch denial-of-service attacks
A session management vulnerability in CTEK ChargePortal's WebSocket backend allows attackers to hijack charging station
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13850