CVE-2025-54816
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Summary
This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| EVMAPA | EVMAPA | All versions | affected |
Weaknesses
- CWE-306: CWE-306
Workarounds
EVMAPA informed CISA some of their charging stations do not allow changes to the authorization key using the Open Charge Point Protocol (OCPP). Currently, charge point operators have the option to connect stations using WebSocket Secure (WSS), and EVMAPA connects stations they supply via their own VPN. For OCPP 2.x and newer stations, EVMAPA plans to implement BASIC authorization control.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.