CVE-2026-25851
Published: 27 February 2026
Summary
CVE-2026-25851 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Chargemap Chargemap.Com. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification and authentication of charging station devices before establishing WebSocket connections, directly preventing unauthorized impersonation.
Enforces approved authorizations requiring authentication for access to OCPP WebSocket endpoints, blocking unauthenticated connections and data manipulation.
Protects the authenticity of WebSocket communications sessions, mitigating station impersonation by ensuring only legitimate sessions process OCPP commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated WebSocket endpoints enable exploitation of a public-facing application (T1190), privilege escalation via unauthorized station control (T1068), and impersonation of charging stations using identifiers (T1656).
NVD Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue…
more
or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Deeper analysisAI
CVE-2026-25851 involves WebSocket endpoints that lack proper authentication mechanisms, allowing attackers to perform unauthorized station impersonation and manipulate data sent to the backend. This vulnerability affects OCPP WebSocket endpoints used in charging station communications, where no authentication is required for connections. Mapped to CWE-306 (Missing Authentication for Critical Function), it carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) and was published on 2026-02-27.
An unauthenticated attacker can exploit this by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issuing or receiving OCPP commands as a legitimate charger. Successful exploitation enables privilege escalation, unauthorized control over charging infrastructure, and corruption of charging network data reported to the backend.
CISA has issued ICS Advisory ICSA-26-057-05 addressing this vulnerability, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05, along with a related CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json and Chargemap support documentation at https://chargemap.com/en-us/support. Security practitioners should consult these advisories for mitigation details and patch information.
Details
- CWE(s)