Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
AnalysisAI
Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions — remote unauthenticated exploitation against default OCPP WebSocket endpoints lacking authentication. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This vulnerability presents critical real-world risk with multiple concerning factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans the internet for exposed OCPP WebSocket endpoints on port 443 or 8080 and identifies an eparking.fi installation. Using publicly available charging station identifiers obtained from mobile apps or by enumerating sequential IDs, the attacker establishes a WebSocket connection claiming to be a legitimate charging station. … |
| Remediation | Immediately implement WebSocket authentication mechanisms for all OCPP endpoints, requiring mutual TLS authentication or token-based authentication before processing any charging station commands. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems connected to eparking.fi infrastructure and isolate charging stations from direct internet exposure; notify all stakeholders and customers of the vulnerability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Eparking Fi
View allUnlimited authentication attempts against the eParking.fi WebSocket API enable network-based denial-of-service attacks t
A session management vulnerability exists in the WebSocket backend of IGL Technologies' eparking.fi platform that allows
A web-based mapping platform exposes charging station authentication identifiers publicly, allowing unauthenticated netw
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13852
GHSA-3pgw-qmv2-hv8m