CVE-2026-25851

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25851

9.4 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

W

ebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

References
Link Resource
https://chargemap.com/en-us/support Product
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json Third Party Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05 Third Party Advisory US Government Resource
Configurations

Configuration 1 (hide)

cpe:2.3:a:chargemap:chargemap.com:*:*:*:*:*:*:*:*
History

02 Mar 2026, 15:56

Type Values Removed Values Added
First Time Chargemap chargemap.com
Chargemap
References () https://chargemap.com/en-us/support - () https://chargemap.com/en-us/support - Product
References () https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json - () https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json - Third Party Advisory
References () https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05 - () https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05 - Third Party Advisory, US Government Resource
CPE cpe:2.3:a:chargemap:chargemap.com:*:*:*:*:*:*:*:*

27 Feb 2026, 14:06

Type Values Removed Values Added
Summary
  • (es) Los puntos finales WebSocket carecen de mecanismos de autenticación adecuados, lo que permite a los atacantes realizar suplantación de estación no autorizada y manipular los datos enviados al backend. Un atacante no autenticado puede conectarse al punto final WebSocket de OCPP utilizando un identificador de estación de carga conocido o descubierto, luego emitir o recibir comandos OCPP como un cargador legítimo. Dado que no se requiere autenticación, esto puede llevar a una escalada de privilegios, control no autorizado de la infraestructura de carga y corrupción de los datos de la red de carga reportados al backend.

27 Feb 2026, 00:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-27 00:16

Updated : 2026-03-05 21:16

NVD link : CVE-2026-25851

Mitre link : CVE-2026-25851

CVE.ORG link : CVE-2026-25851

JSON object : View

Products Affected

chargemap

CWE
CWE-306

Missing Authentication for Critical Function