Cyber Resilience

CVE-2026-25192

Critical

Published: 20 March 2026

Published
20 March 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25192 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Ctek Charge Portal. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2026-25192 is a high-severity vulnerability (CVSS 9.4, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) stemming from WebSocket endpoints lacking proper authentication mechanisms, as documented under CWE-306 (Missing Authentication for Critical Function). It affects OCPP (Open Charge Point Protocol) WebSocket endpoints in charging station software, specifically those from CTEK, enabling attackers to perform unauthorized station impersonation and manipulate data sent to backend systems.

An unauthenticated attacker with network access can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier. This allows them to issue or receive OCPP commands as a legitimate charger, resulting in privilege escalation, unauthorized control over charging infrastructure, and corruption of charging network data reported to the backend.

CISA advisory ICSA-26-078-06 and related resources, including CTEK's support page, provide details on mitigation strategies; practitioners should consult these references for patching instructions and remediation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…

more

or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Unauthenticated WebSocket endpoints enable exploitation of public-facing application (T1190) for initial access via missing authentication, facilitating privilege escalation (T1068) through unauthorized station impersonation and control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31904Same product: Ctek Charge Portal
CVE-2026-27649Same product: Ctek Charge Portal
CVE-2026-26055Shared CWE-306
CVE-2026-29796Shared CWE-306
CVE-2025-59246Shared CWE-306
CVE-2026-27028Shared CWE-306
CVE-2026-25848Shared CWE-306
CVE-2026-2417Shared CWE-306
CVE-2026-27767Shared CWE-306
CVE-2020-36892Shared CWE-306

Affected Assets

ctek
charge portal
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires limiting permitted actions without identification or authentication, preventing unauthorized station impersonation and data manipulation on unauthenticated WebSocket endpoints.

prevent

Mandates device identification and authentication before establishing connections, mitigating impersonation of charging stations via OCPP WebSocket endpoints.

prevent

Ensures authenticity of communications sessions like WebSockets by requiring unique identification and authentication, blocking unauthorized command issuance and data corruption.

References