CVE-2026-25192CRITICAL 9.8EPSS p37.8%

CVE-2026-25192CVE-2026-25192

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.48% probability of exploitation · percentile 37.8% · 2026-06-19T12:03:05Z
Published2026-03-20
Last modified2026-05-06

Underlying weaknesses· 1

CWE-306

References

  1. https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json
  2. https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06
  3. https://www.ctek.com/support

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-22552
CVE
CVE-2026-27028
CVE
CVE-2026-20781
CVE
CVE-2026-26051
CVE
CVE-2026-29796
CVE
CVE-2026-24731
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.