CVE-2026-25851 is a critical vulnerability affecting all versions of chargemap.com. It stems from a lack of authentication on WebSocket endpoints, allowing attackers to impersonate charging stations. This can lead to unauthorized control of charging infrastructure and corruption of data reported to the backend. A fix is expected, and interim mitigations are available.
The impact of CVE-2026-25851 is significant. An attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier without any authentication. They can then issue OCPP commands as if they were a legitimate charger, effectively taking control of the charging process. This could involve manipulating charging rates, disconnecting vehicles prematurely, or even causing physical damage to charging equipment. The attacker could also corrupt the charging network data reported to the backend, leading to inaccurate billing and operational inefficiencies. The blast radius extends to the entire charging network relying on chargemap.com’s data.
CVE-2026-25851 was publicly disclosed on 2026-02-26. The vulnerability's criticality (CVSS 9.4) and ease of exploitation (no authentication required) suggest a high probability of exploitation. Currently, there are no publicly known proof-of-concept exploits, but the lack of authentication makes it a prime target for automated scanning and exploitation. It is not currently listed on CISA KEV.
Organizations and individuals relying on chargemap.com for charging station data and management are at risk. This includes electric vehicle charging network operators, fleet managers, and EV drivers who depend on accurate charging station information. Shared hosting environments utilizing chargemap.com services may also be vulnerable.
disclosure
エクスプロイト状況
EPSS
0.13% (32% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade to a patched version of chargemap.com once available. Until then, implement temporary controls to limit the exposure of OCPP WebSocket endpoints. A Web Application Firewall (WAF) can be configured to restrict access to these endpoints based on IP address or other criteria. Additionally, review and tighten access controls to the chargemap.com backend systems to prevent unauthorized data modification. Monitor OCPP WebSocket traffic for suspicious activity, such as unexpected commands or connections from unknown sources. Consider implementing rate limiting on OCPP requests to mitigate potential abuse.
Chargemap は、WebSocket エンドポイントに適切な認証メカニズムを実装する必要があります。 これにより、充電ステーションのなりすましとデータの不正な操作を防ぐことができます。 セキュリティ構成を見直し、ベンダーが提供するアップデートを適用することをお勧めします。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-25851 is a critical vulnerability in chargemap.com where unauthenticated attackers can impersonate charging stations and manipulate data due to missing authentication on WebSocket endpoints.
Yes, all versions of chargemap.com are affected by this vulnerability. If you rely on chargemap.com for charging station data, you are potentially at risk.
Upgrade to a patched version of chargemap.com as soon as it becomes available. Until then, implement WAF rules and monitor OCPP WebSocket traffic.
While no public exploits are currently known, the lack of authentication makes it a likely target for exploitation. Vigilance and mitigation are crucial.
Please refer to the chargemap.com security advisories page for updates and official guidance regarding CVE-2026-25851.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。