CVE-2025-54816

Summary

This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.

Affected Software

VendorProductVersion RangeStatus
EVMAPAEVMAPAAll versionsaffected

Weaknesses

  • CWE-306: CWE-306

Workarounds

EVMAPA informed CISA some of their charging stations do not allow changes to the authorization key using the Open Charge Point Protocol (OCPP). Currently, charge point operators have the option to connect stations using WebSocket Secure (WSS), and EVMAPA connects stations they supply via their own VPN. For OCPP 2.x and newer stations, EVMAPA plans to implement BASIC authorization control.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References