Skip to main content

Chargeportal

4 CVEs product

Monthly

CVE-2026-28204 MEDIUM CISA This Month

Authentication identifiers for electric vehicle charging stations are publicly exposed through web-based mapping platforms, allowing unauthenticated network-based access to sensitive authentication data. The vulnerability affects CTEK ChargePortal and enables attackers to obtain charging station credentials without requiring any privileges or user interaction. This information disclosure can lead to unauthorized access to charging infrastructure and potential manipulation of charging sessions.

Information Disclosure Chargeportal
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27649 MEDIUM CISA This Month

A session management vulnerability in CTEK ChargePortal's WebSocket backend allows attackers to hijack charging station sessions by connecting with the same predictable session identifier used by legitimate stations. This enables authentication bypass, interception of backend commands intended for legitimate charging stations, and denial-of-service through session flooding. The vulnerability affects CTEK ChargePortal with a CVSS score of 7.3 and is documented in ICS-CERT advisory ICSA-26-078-06, though no active exploitation (KEV) or public POC has been reported.

Authentication Bypass Chargeportal
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-31904 HIGH CISA Act Now

Missing rate limiting in CTEK Chargeportal's WebSocket API enables remote attackers to launch denial-of-service attacks against electric vehicle charging infrastructure telemetry or conduct brute-force authentication attacks. All versions of Chargeportal are affected. CISA ICS-CERT has issued an advisory (ICSA-26-078-06), indicating focus on critical infrastructure risk. EPSS exploitation probability is low (0.08%, 23rd percentile), and no active exploitation or public exploit is confirmed. SSVC assessment indicates the vulnerability is automatable but has no confirmed exploitation, suggesting moderate real-world urgency despite the high CVSS 8.7 score.

Authentication Bypass Chargeportal
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-25192 CRITICAL CISA Emergency

CTEK Chargeportal's OCPP WebSocket endpoints accept unauthenticated connections, allowing remote attackers to impersonate charging stations by connecting with known or discovered station identifiers and issuing fraudulent OCPP commands to the backend infrastructure. This authentication bypass enables complete control over charging operations, data manipulation, and privilege escalation across the charging network. CISA ICS-CERT issued advisory ICSA-26-078-06 for this industrial control system vulnerability. EPSS score of 0.13% (33rd percentile) indicates relatively low predicted exploitation likelihood despite critical CVSS 9.3 severity, though SSVC assessment confirms the vulnerability is fully automatable with total technical impact.

Authentication Bypass Privilege Escalation Chargeportal
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
EPSS 0% CVSS 6.5
MEDIUM This Month

Authentication identifiers for electric vehicle charging stations are publicly exposed through web-based mapping platforms, allowing unauthenticated network-based access to sensitive authentication data. The vulnerability affects CTEK ChargePortal and enables attackers to obtain charging station credentials without requiring any privileges or user interaction. This information disclosure can lead to unauthorized access to charging infrastructure and potential manipulation of charging sessions.

Information Disclosure Chargeportal
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

A session management vulnerability in CTEK ChargePortal's WebSocket backend allows attackers to hijack charging station sessions by connecting with the same predictable session identifier used by legitimate stations. This enables authentication bypass, interception of backend commands intended for legitimate charging stations, and denial-of-service through session flooding. The vulnerability affects CTEK ChargePortal with a CVSS score of 7.3 and is documented in ICS-CERT advisory ICSA-26-078-06, though no active exploitation (KEV) or public POC has been reported.

Authentication Bypass Chargeportal
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH Act Now

Missing rate limiting in CTEK Chargeportal's WebSocket API enables remote attackers to launch denial-of-service attacks against electric vehicle charging infrastructure telemetry or conduct brute-force authentication attacks. All versions of Chargeportal are affected. CISA ICS-CERT has issued an advisory (ICSA-26-078-06), indicating focus on critical infrastructure risk. EPSS exploitation probability is low (0.08%, 23rd percentile), and no active exploitation or public exploit is confirmed. SSVC assessment indicates the vulnerability is automatable but has no confirmed exploitation, suggesting moderate real-world urgency despite the high CVSS 8.7 score.

Authentication Bypass Chargeportal
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Emergency

CTEK Chargeportal's OCPP WebSocket endpoints accept unauthenticated connections, allowing remote attackers to impersonate charging stations by connecting with known or discovered station identifiers and issuing fraudulent OCPP commands to the backend infrastructure. This authentication bypass enables complete control over charging operations, data manipulation, and privilege escalation across the charging network. CISA ICS-CERT issued advisory ICSA-26-078-06 for this industrial control system vulnerability. EPSS score of 0.13% (33rd percentile) indicates relatively low predicted exploitation likelihood despite critical CVSS 9.3 severity, though SSVC assessment confirms the vulnerability is fully automatable with total technical impact.

Authentication Bypass Privilege Escalation Chargeportal
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy