Critical Authentication Flaws in Chargemap EV Infrastructure

Overview of the Chargemap Vulnerabilities

According to CISA advisory ICSA-26-057-05, multiple vulnerabilities have been identified in the Chargemap (chargemap.com) infrastructure. These flaws impact the energy and transportation systems sectors, specifically targeting Electric Vehicle (EV) charging infrastructure. The most severe of these vulnerabilities allows for unauthenticated administrative control and data manipulation, posing a significant risk to the integrity of charging networks worldwide.

Notably, the vendor has reportedly not responded to CISA’s attempts at coordination. As of this advisory, there are no official vendor patches available, making third-party mitigations and network isolation essential for operators of affected hardware.

Technical Analysis of Exploitation Vectors

The identified vulnerabilities center on the communication between charging stations and the backend management system, primarily utilizing the WebSocket protocol and the Open Charge Point Protocol (OCPP).

WebSocket Authentication Bypass (CVE-2026-25851)

With a CVSS score of 9.4, this is the most critical flaw. The WebSocket endpoints used for OCPP communication lack authentication mechanisms. An attacker who discovers or predicts a charging station identifier can establish a connection to the backend, effectively impersonating a legitimate charger. This enables the attacker to issue commands, intercept telemetry, and corrupt charging data. This privilege escalation allows for the unauthorized management of entire charging station fleets.

Session Hijacking and Shadowing (CVE-2026-25711)

The backend implementation fails to properly secure session identifiers. Because the system allows multiple endpoints to connect using the same session ID, a new connection can “shadow” or displace a legitimate active session. This predictable session management enables an attacker to intercept commands intended for a specific charger or induce a denial-of-service (DoS) state by repeatedly forcing legitimate stations to disconnect.

Lack of Rate Limiting and Information Leakage

Two supporting vulnerabilities facilitate the exploitation of the primary flaws:

• CVE-2026-20792: The absence of rate limiting on the WebSocket API allows for brute-force attacks against session IDs or massive DoS attacks that overwhelm the charging telemetry backend.
• CVE-2026-20791: Information leakage occurs through web-based mapping platforms where station identifiers—required for the aforementioned authentication bypass—are publicly accessible. This lowers the barrier to entry for attackers, as they do not need to physically inspect hardware to gather necessary identifiers.

Impact on Critical Infrastructure

Exploitation of these vulnerabilities could lead to widespread disruption of EV charging services. In the context of the Energy and Transportation sectors, this manipulation could facilitate fraudulent charging sessions, permanent disabling of hardware, or the injection of false telemetry data that disrupts regional energy load balancing. Given that Chargemap maintains a global presence, the potential for cross-border infrastructure disruption is significant.

Actionable Recommendations

Because the vendor has not provided an official remediation, defenders must prioritize compensating controls to secure their deployments:

• Network Isolation: Ensure all charging station controllers and management systems are placed behind firewalls and isolated from the public internet. Access should be restricted to known, authorized IP ranges.
• Secure Remote Access: If remote management is required, utilize a Virtual Private Network (VPN). Ensure the VPN software is patched to the latest version and requires multi-factor authentication (MFA).
• Monitor Web Traffic: Organizations should monitor for unusual WebSocket connection patterns or multiple connection attempts using the same station identifiers, which may indicate session shadowing attempts.
• ID Obfuscation: Where possible, avoid using publicly listed identifiers in mapping services if those identifiers are also used as the primary connection token for the OCPP backend.