DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25851: CVE-2026-25851: Critical Authentication Bypass in Chargemap OCPP Backend

#security #cve #cybersecurity

CVE-2026-25851: Critical Authentication Bypass in Chargemap OCPP Backend

Vulnerability ID: CVE-2026-25851
CVSS Score: 9.4
Published: 2026-02-26

A critical missing authentication vulnerability (CWE-306) in the Chargemap backend infrastructure allows unauthenticated remote attackers to impersonate electric vehicle (EV) charging stations. By leveraging publicly discoverable station identifiers, attackers can establish unauthorized WebSocket connections to the Open Charge Point Protocol (OCPP) interface. This access permits the manipulation of charging sessions, falsification of meter data, and potential denial of service against legitimate infrastructure.

TL;DR

Unauthenticated attackers can connect to Chargemap's backend as any charging station using only the station's ID. This allows full control over charging sessions and data reporting. No patch is currently available.

Technical Details

  • CWE: CWE-306: Missing Authentication for Critical Function
  • CVSS v3.1: 9.4 (Critical)
  • Attack Vector: Network (Remote)
  • Attack Complexity: Low
  • Privileges Required: None
  • Exploit Status: No known public PoC, but trivial to exploit
  • Vendor Status: Unpatched / Unresponsive

Affected Systems

  • Chargemap Backend Infrastructure
  • OCPP WebSocket Endpoints (wss://backend.chargemap.com)
  • Chargemap Backend Services: all versions (Fixed in: None)

Exploit Details

  • CISA: CISA Advisory noting the lack of authentication and public availability of exploits methodology.

Mitigation Strategies

  • Implement OCPP Security Profile 2 (TLS + Basic Auth) or Profile 3 (TLS + mTLS).
  • Use cryptographically secure, random Station IDs instead of sequential or predictable ones.
  • Enforce strict rate limiting on WebSocket connection endpoints.
  • Isolate charging infrastructure using VPNs or private APNs.

Remediation Steps:

  1. Operators must contact Chargemap support for a status update.
  2. There is no user-side patch; the fix must be applied to the chargemap.com backend infrastructure.
  3. Monitor backend logs for duplicate connections or connections from anomalous IP addresses targeting specific Station IDs.

References

Read the full report for CVE-2026-25851 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)