EUVD-2026-13846
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Analysis
Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against EV charging infrastructure without credentials. By connecting with a known station identifier, threat actors can manipulate charging operations, escalate privileges, and corrupt backend network data. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all CTEK ChargePortal deployments in your environment and isolate OCPP WebSocket endpoints from untrusted networks; notify your CTEK account team and request interim guidance. Within 7 days: Implement network segmentation to restrict charging station communications to authorized subnets, deploy enhanced monitoring/logging on OCPP endpoints for anomalous activity, and brief executive leadership on contingency plans for service disruption. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today