The absence of authentication on OCPP WebSocket endpoints allows unauthenticated attackers to impersonate charging stations, leading to unauthorized control of EV infrastructure.

WebSocket endpoints fail to implement proper authentication mechanisms. An unauthenticated attacker can connect using a known charging station identifier and issue or receive OCPP commands as if they were a legitimate charger.

This vulnerability allows for privilege escalation and unauthorized control over EV charging infrastructure. Attackers could manipulate charging sessions, corrupt billing data, or cause localized grid disruptions. With a CVSS score of 9.4, the risk to the reliability and financial integrity of charging networks is critical.

Immediate Action: Implement mandatory WebSocket authentication (e.g., Basic Auth or TLS certificates) as specified in the latest OCPP security profiles.

Proactive Monitoring: Review WebSocket connection logs for multiple connections using the same identifier or connections originating from unexpected IP addresses.

Compensating Controls: Implement network-level filtering to ensure only known charging station IP ranges can connect to the backend WebSocket server.

Public Exploit Available: No

Securing the communication between charging stations and the backend is vital for the safety and reliability of EV networks. Organizations must enforce strict authentication for all WebSocket connections immediately.