EUVD-2026-13852
GHSA-3pgw-qmv2-hv8m
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Analysis
Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems connected to eparking.fi infrastructure and isolate charging stations from direct internet exposure; notify all stakeholders and customers of the vulnerability. Within 7 days: Implement network segmentation to restrict WebSocket endpoint access to known, trusted station identifiers via allowlist controls; deploy enhanced logging and monitoring for all OCPP connection attempts. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today