Plateforme
other
Composant
csaf
CVE-2026-25851 is a critical vulnerability affecting all versions of chargemap.com. It stems from a lack of authentication on WebSocket endpoints, allowing attackers to impersonate charging stations. This can lead to unauthorized control of charging infrastructure and corruption of data reported to the backend. A fix is expected, and interim mitigations are available.
The impact of CVE-2026-25851 is significant. An attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier without any authentication. They can then issue OCPP commands as if they were a legitimate charger, effectively taking control of the charging process. This could involve manipulating charging rates, disconnecting vehicles prematurely, or even causing physical damage to charging equipment. The attacker could also corrupt the charging network data reported to the backend, leading to inaccurate billing and operational inefficiencies. The blast radius extends to the entire charging network relying on chargemap.com’s data.
CVE-2026-25851 was publicly disclosed on 2026-02-26. The vulnerability's criticality (CVSS 9.4) and ease of exploitation (no authentication required) suggest a high probability of exploitation. Currently, there are no publicly known proof-of-concept exploits, but the lack of authentication makes it a prime target for automated scanning and exploitation. It is not currently listed on CISA KEV.
Organizations and individuals relying on chargemap.com for charging station data and management are at risk. This includes electric vehicle charging network operators, fleet managers, and EV drivers who depend on accurate charging station information. Shared hosting environments utilizing chargemap.com services may also be vulnerable.
disclosure
Statut de l'Exploit
EPSS
0.13% (percentile 32%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade to a patched version of chargemap.com once available. Until then, implement temporary controls to limit the exposure of OCPP WebSocket endpoints. A Web Application Firewall (WAF) can be configured to restrict access to these endpoints based on IP address or other criteria. Additionally, review and tighten access controls to the chargemap.com backend systems to prevent unauthorized data modification. Monitor OCPP WebSocket traffic for suspicious activity, such as unexpected commands or connections from unknown sources. Consider implementing rate limiting on OCPP requests to mitigate potential abuse.
Chargemap doit implémenter des mécanismes d'authentification appropriés pour les points de terminaison WebSocket. Cela évitera l'usurpation d'identité des stations de recharge et la manipulation non autorisée des données. Il est recommandé de revoir les configurations de sécurité et d'appliquer les mises à jour fournies par le fournisseur.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25851 is a critical vulnerability in chargemap.com where unauthenticated attackers can impersonate charging stations and manipulate data due to missing authentication on WebSocket endpoints.
Yes, all versions of chargemap.com are affected by this vulnerability. If you rely on chargemap.com for charging station data, you are potentially at risk.
Upgrade to a patched version of chargemap.com as soon as it becomes available. Until then, implement WAF rules and monitor OCPP WebSocket traffic.
While no public exploits are currently known, the lack of authentication makes it a likely target for exploitation. Vigilance and mitigation are crucial.
Please refer to the chargemap.com security advisories page for updates and official guidance regarding CVE-2026-25851.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.