Home / Vulnerability Intelligence / CVE-2026-25851

CVE-2026-25851 - Vulnerability Analysis

CriticalCVSS: 9.4

Last Updated: February 27, 2026

WebSocket OCPP - Broken Access Control

Published: February 27, 2026Updated: February 27, 2026Remote Exploitable

Overview

WebSocket endpoints lack proper authentication, allowing unauthenticated attackers to impersonate charging stations and manipulate OCPP commands, leading to unauthorized control and data corruption.

Severity & Score

Severity: Critical

CVSS Score: 9.4

Impact

Attackers can escalate privileges, control charging infrastructure, and corrupt backend charging network data.

Mitigation

Implement proper authentication mechanisms on WebSocket endpoints or update to the latest secure version.

References

https://chargemap.com/en-us/support
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-25851
Severity: Critical
CVSS Score: 9.4
Type: broken_access_control
Status: new

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L