Eparking Fi
Monthly
A web-based mapping platform exposes charging station authentication identifiers publicly, allowing unauthenticated network-based attackers to access sensitive credential information without any user interaction required. The vulnerability affects IGL Technologies eparking.fi application and enables attackers to obtain authentication material that could be leveraged for unauthorized access to charging infrastructure. There is no indication of active exploitation in the wild or public proof-of-concept code, but the vulnerability represents a direct exposure of authentication secrets (CWE-522) with moderate real-world impact.
A session management vulnerability exists in the WebSocket backend of IGL Technologies' eparking.fi platform that allows multiple endpoints to connect using the same charging station identifier. An unauthenticated remote attacker can hijack legitimate charging station sessions by connecting with predictable session identifiers, enabling them to intercept backend commands, authenticate as other users, or cause denial-of-service by overwhelming the backend with concurrent session requests. This vulnerability affects operational technology (OT) infrastructure and has been disclosed by CISA ICS-CERT.
Unlimited authentication attempts against the eParking.fi WebSocket API enable network-based denial-of-service attacks that suppress or mis-route electric vehicle charger telemetry, and enable credential brute-forcing to gain unauthorized system access. Reported by ICS-CERT, affecting all versions of the charging management platform. EPSS score of 0.07% (22nd percentile) suggests low widespread exploitation probability, though SSVC marks it as automatable with partial technical impact. No active exploitation confirmed (not in CISA KEV), but CVSS 8.7 with AV:N/PR:N/AC:L indicates trivial remote exploitation against unauthenticated endpoints.
Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. No patch is currently available for this critical vulnerability affecting EV charging systems.
A web-based mapping platform exposes charging station authentication identifiers publicly, allowing unauthenticated network-based attackers to access sensitive credential information without any user interaction required. The vulnerability affects IGL Technologies eparking.fi application and enables attackers to obtain authentication material that could be leveraged for unauthorized access to charging infrastructure. There is no indication of active exploitation in the wild or public proof-of-concept code, but the vulnerability represents a direct exposure of authentication secrets (CWE-522) with moderate real-world impact.
A session management vulnerability exists in the WebSocket backend of IGL Technologies' eparking.fi platform that allows multiple endpoints to connect using the same charging station identifier. An unauthenticated remote attacker can hijack legitimate charging station sessions by connecting with predictable session identifiers, enabling them to intercept backend commands, authenticate as other users, or cause denial-of-service by overwhelming the backend with concurrent session requests. This vulnerability affects operational technology (OT) infrastructure and has been disclosed by CISA ICS-CERT.
Unlimited authentication attempts against the eParking.fi WebSocket API enable network-based denial-of-service attacks that suppress or mis-route electric vehicle charger telemetry, and enable credential brute-forcing to gain unauthorized system access. Reported by ICS-CERT, affecting all versions of the charging management platform. EPSS score of 0.07% (22nd percentile) suggests low widespread exploitation probability, though SSVC marks it as automatable with partial technical impact. No active exploitation confirmed (not in CISA KEV), but CVSS 8.7 with AV:N/PR:N/AC:L indicates trivial remote exploitation against unauthenticated endpoints.
Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. No patch is currently available for this critical vulnerability affecting EV charging systems.