Cyber Resilience

CVE-2026-22552

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0089 54.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22552 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Epower Epower.Ie. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2026-22552 involves WebSocket endpoints that lack proper authentication mechanisms, classified under CWE-306 (Missing Authentication for Critical Function). This vulnerability affects OCPP WebSocket endpoints used for communication between charging stations and backend systems in electric vehicle charging infrastructure. Attackers can exploit the absence of authentication to perform unauthorized station impersonation and manipulate data transmitted to the backend, with a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

An unauthenticated attacker with network access can connect to the OCPP WebSocket endpoint by using a known or discovered charging station identifier. Once connected, the attacker can issue or receive OCPP commands as if acting as a legitimate charger, resulting in privilege escalation, unauthorized control over charging infrastructure, and corruption of charging network data reported to the backend.

Mitigation guidance is detailed in official advisories, including CISA ICS Advisory ICSA-26-062-07 available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-07, the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-07.json, and vendor support resources at https://epower.ie/support/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…

more

or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

The vulnerability enables exploitation of a public-facing WebSocket application (T1190), allows impersonation of charging stations due to missing authentication (T1656), and facilitates manipulation of transmitted data to the backend (T1565.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24912Same product: Epower Epower.Ie
CVE-2026-27778Same product: Epower Epower.Ie
CVE-2026-24731Shared CWE-306
CVE-2026-25851Shared CWE-306
CVE-2026-26051Shared CWE-306
CVE-2026-26288Shared CWE-306
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306

Affected Assets

epower
epower.ie
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires unique identification and authentication of charging stations as devices before establishing WebSocket connections, directly preventing unauthorized impersonation and command issuance.

prevent

Explicitly identifies, authorizes, monitors, and reviews actions permitted without authentication, ensuring no critical OCPP WebSocket functions like station impersonation are allowed unauthenticated.

prevent

Mandates authentication of service users (charging stations) by the OCPP WebSocket service before establishing communications, blocking unauthenticated connections and data manipulation.

References