Executive Summary
In February 2026, multiple critical vulnerabilities were identified in Chargemap's platform, a widely used electric vehicle charging service. These flaws include missing authentication for critical functions (CVE-2026-25851), improper restriction of excessive authentication attempts (CVE-2026-20792), insufficient session expiration (CVE-2026-25711), and insufficiently protected credentials (CVE-2026-20791). Exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative control over charging stations or disrupt services through denial-of-service attacks. (beyondmachines.net)
The absence of vendor patches and Chargemap's lack of response to coordination requests from CISA highlight the urgency for organizations to implement immediate mitigations. This incident underscores the critical need for robust security measures in EV charging infrastructure, especially as the adoption of electric vehicles continues to rise globally. (beyondmachines.net)
Why This Matters Now
The rapid expansion of electric vehicle infrastructure introduces new attack vectors, making it imperative to address these vulnerabilities promptly to prevent potential disruptions and unauthorized access.
Attack Path Analysis
An attacker exploited publicly accessible charging station identifiers to connect to the OCPP WebSocket endpoint without authentication, impersonating legitimate stations. This allowed unauthorized control over charging infrastructure and manipulation of backend data. The attacker then escalated privileges by exploiting the lack of session management, hijacking active sessions to gain administrative access. Utilizing this access, the attacker moved laterally within the network, compromising additional charging stations. A command and control channel was established through the compromised WebSocket connections, enabling persistent control over the infrastructure. The attacker exfiltrated sensitive operational data by redirecting charger telemetry to external servers. Finally, the attacker disrupted charging services by issuing unauthorized commands, leading to denial-of-service conditions across the network.
Kill Chain Progression
Initial Compromise
Description
An attacker exploited publicly accessible charging station identifiers to connect to the OCPP WebSocket endpoint without authentication, impersonating legitimate stations.
Related CVEs
CVE-2026-25851
CVSS 9.4WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend.
Affected Products:
Chargemap chargemap.com – all
Exploit Status:
no public exploitCVE-2026-25711
CVSS 7.3The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier, enabling session hijacking or shadowing.
Affected Products:
Chargemap chargemap.com – all
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Valid Accounts
Brute Force
Modify Authentication Process
Exploitation for Credential Access
Adversary-in-the-Middle
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Users and Administrators
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity Verification and Authentication
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Critical EV charging infrastructure vulnerabilities enable unauthorized station control and service disruption, compromising energy distribution networks and renewable transportation infrastructure.
Transportation
Authentication bypass in charging stations allows attackers to manipulate EV charging services, disrupt transportation electrification, and compromise fleet charging operations.
Automotive
WebSocket vulnerabilities in charging infrastructure expose EV ecosystem to session hijacking, unauthorized backend manipulation, and denial-of-service attacks on charging networks.
Utilities
Missing authentication controls in charging station management systems create critical infrastructure risks affecting grid stability and electric vehicle service delivery.
Sources
- Chargemap chargemap.comhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05Verified
- NVD Entry for CVE-2026-25851https://nvd.nist.gov/vuln/detail/CVE-2026-25851Verified
- NVD Entry for CVE-2026-25711https://nvd.nist.gov/vuln/detail/CVE-2026-25711Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit unsecured endpoints, limit lateral movement, and control data exfiltration, thereby reducing the overall impact on the charging infrastructure.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit unsecured endpoints and impersonate legitimate stations would likely be constrained, reducing unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges by hijacking sessions would likely be constrained, reducing unauthorized administrative access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the scope of compromised charging stations.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels would likely be constrained, reducing persistent control over the infrastructure.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing unauthorized data transfer to external servers.
The attacker's ability to disrupt charging services would likely be constrained, reducing the impact of denial-of-service conditions across the network.
Impact at a Glance
Affected Business Functions
- Charging Station Operations
- Customer Billing
- Network Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of charging station operational data and customer billing information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust authentication mechanisms for all WebSocket endpoints to prevent unauthorized access.
- • Enforce strict session management policies to prevent session hijacking and ensure session expiration.
- • Apply Zero Trust Segmentation to limit lateral movement within the network by enforcing least privilege access.
- • Deploy Egress Security & Policy Enforcement controls to monitor and restrict unauthorized data exfiltration attempts.
- • Establish comprehensive Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
