Multiple Vulnerabilities in Chargemap Charging Stations

Chargemap chargemap.com is affected by multiple critical vulnerabilities that could allow attackers to gain unauthorized administrative control over charging stations or disrupt charging services. These vulnerabilities include missing authentication for critical functions (CVE-2026-25851), improper restriction of excessive authentication attempts (CVE-2026-20792), insufficient session expiration (CVE-2026-25711), and insufficiently protected credentials (CVE-2026-20791). The vulnerabilities affect all versions of Chargemap chargemap.com. These flaws exist within the WebSocket API and the handling of charging station identifiers. Successful exploitation can lead to privilege escalation, data corruption, session hijacking, and denial-of-service conditions. The affected infrastructure sectors include energy and transportation systems, with deployments worldwide.

Attack Chain

1. Attacker identifies a publicly accessible Chargemap charging station identifier via web-based mapping platforms (CVE-2026-20791).
2. Attacker connects to the OCPP WebSocket endpoint of the targeted charging station using the discovered identifier without authentication (CVE-2026-25851).
3. Attacker exploits the lack of authentication to impersonate a legitimate charger.
4. Attacker floods the WebSocket API with authentication requests, leveraging the absence of rate limiting to conduct a denial-of-service attack (CVE-2026-20792).
5. Attacker hijacks a legitimate charging station session due to insufficient session expiration and predictable session identifiers (CVE-2026-25711).
6. Attacker sends malicious commands to the backend, disrupting the charging process and potentially damaging connected vehicles.
7. Attacker manipulates data sent to the backend, corrupting charging network data and potentially causing billing errors or safety issues.
8. Attacker gains full administrative control over the charging station, enabling them to modify settings, disable functionality, or use it as a pivot point to attack other systems.

Impact

Successful exploitation of these vulnerabilities could result in widespread disruption of electric vehicle charging services, financial losses due to manipulated charging data, and potential damage to connected vehicles. Given the global deployment of Chargemap, a successful attack could affect numerous users and organizations in the energy and transportation sectors. Attackers could remotely disable charging stations, manipulate pricing, or even cause physical damage to charging infrastructure. The lack of vendor response further exacerbates the potential impact, leaving users vulnerable without readily available patches or workarounds.

Recommendation

• Minimize network exposure for Chargemap charging stations by ensuring they are not directly accessible from the internet as recommended by CISA.
• Locate control system networks and remote devices behind firewalls, isolating them from business networks as per CISA guidance.
• Monitor network traffic for excessive authentication attempts targeting Chargemap charging stations to detect potential denial-of-service attacks leveraging CVE-2026-20792. Implement rate limiting where possible.
• Deploy the Sigma rule “Detect Unauthenticated OCPP WebSocket Connections” to identify unauthorized connections to charging stations exploiting CVE-2026-25851.
• Contact Chargemap using their contact page (https://chargemap.com/en-us/support) to inquire about available patches or mitigations for these vulnerabilities.