CVE-2026-25851 - Vulnerability Analysis
CriticalCVSS: 9.4Last Updated: March 2, 2026
WebSocket OCPP - Broken Access Control
Overview
WebSocket endpoints lack proper authentication, allowing unauthenticated attackers to impersonate charging stations and manipulate OCPP commands, leading to unauthorized control and data corruption.
Severity & Score
Impact
Attackers can escalate privileges, control charging infrastructure, and corrupt backend charging network data.
Mitigation
Implement proper authentication mechanisms on WebSocket endpoints or update to the latest secure version.
References
Social Media Activity(2 posts)
Multiple Vulnerabilities Discovered in Chargemap Platform Chargemap's charging platform contains four vulnerabilities, including a critical authentication bypass (CVE-2026-25851), that allow unauthenticated attackers to impersonate charging stations and gain administrative control. **Make sure your Chargemap station management is isolated from the internet and behind a firewall or VPN. Since the vendor has not released a patch that's your only defense until the vendor does something or you replace these systems.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/multiple-vulnerabilities-discovered-in-chargemap-platform-z-y-h-q-j/gD2P6Ple2L
View original post
š“ CVE-2026-25851 - Critical (9.4) WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a ... š https://www.thehackerwire.com/vulnerability/CVE-2026-25851/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-25851
- Severity
- Critical
- CVSS Score
- 9.4
- Type
- broken_access_control
- Status
- confirmed
- EPSS
- 13.2%
- Social Posts
- 2
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L