Platform
other
Component
csaf
CVE-2026-25851 is a critical vulnerability affecting all versions of chargemap.com. It stems from a lack of authentication on WebSocket endpoints, allowing attackers to impersonate charging stations. This can lead to unauthorized control of charging infrastructure and corruption of data reported to the backend. A fix is expected, and interim mitigations are available.
The impact of CVE-2026-25851 is significant. An attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier without any authentication. They can then issue OCPP commands as if they were a legitimate charger, effectively taking control of the charging process. This could involve manipulating charging rates, disconnecting vehicles prematurely, or even causing physical damage to charging equipment. The attacker could also corrupt the charging network data reported to the backend, leading to inaccurate billing and operational inefficiencies. The blast radius extends to the entire charging network relying on chargemap.com’s data.
CVE-2026-25851 was publicly disclosed on 2026-02-26. The vulnerability's criticality (CVSS 9.4) and ease of exploitation (no authentication required) suggest a high probability of exploitation. Currently, there are no publicly known proof-of-concept exploits, but the lack of authentication makes it a prime target for automated scanning and exploitation. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of chargemap.com once available. Until then, implement temporary controls to limit the exposure of OCPP WebSocket endpoints. A Web Application Firewall (WAF) can be configured to restrict access to these endpoints based on IP address or other criteria. Additionally, review and tighten access controls to the chargemap.com backend systems to prevent unauthorized data modification. Monitor OCPP WebSocket traffic for suspicious activity, such as unexpected commands or connections from unknown sources. Consider implementing rate limiting on OCPP requests to mitigate potential abuse.
Chargemap should implement appropriate authentication mechanisms for the WebSocket endpoints. This will prevent charging station impersonation and unauthorized data manipulation. It is recommended to review security configurations and apply updates provided by the vendor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25851 is a critical vulnerability in chargemap.com where unauthenticated attackers can impersonate charging stations and manipulate data due to missing authentication on WebSocket endpoints.
Yes, all versions of chargemap.com are affected by this vulnerability. If you rely on chargemap.com for charging station data, you are potentially at risk.
Upgrade to a patched version of chargemap.com as soon as it becomes available. Until then, implement WAF rules and monitor OCPP WebSocket traffic.
While no public exploits are currently known, the lack of authentication makes it a likely target for exploitation. Vigilance and mitigation are crucial.
Please refer to the chargemap.com security advisories page for updates and official guidance regarding CVE-2026-25851.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.