A critical lack of authentication in OCPP WebSocket endpoints allows unauthenticated attackers to impersonate charging stations and manipulate the entire charging network.

This vulnerability involves a complete lack of authentication mechanisms on WebSocket endpoints used for the Open Charge Point Protocol (OCPP). An unauthenticated attacker can connect to the backend using a discovered charging station identifier, allowing them to send and receive commands as if they were a legitimate hardware unit.

The impact is severe for electric vehicle (EV) charging infrastructure providers. Attackers can escalate privileges, manipulate charging session data, and disrupt the operation of the charging network. This could lead to financial loss, fraudulent charging, and significant reputational damage. The CVSS score of 9.4 reflects the high impact on infrastructure availability and data integrity.

Immediate Action: Deploy updates that implement mandatory authentication (such as TLS client certificates or robust API keys) for all OCPP WebSocket connections.

Proactive Monitoring: Monitor backend logs for multiple simultaneous connections using the same station ID or connections originating from unexpected IP ranges.

Compensating Controls: Restrict access to the OCPP backend via IP allowlisting and utilize a Web Application Firewall (WAF) capable of inspecting WebSocket traffic for anomalies.

Public Exploit Available: No

Securing critical infrastructure requires robust authentication by default. Organizations managing EV charging networks must immediately verify their OCPP implementation security. Transitioning to authenticated WebSockets is the only viable path to prevent station impersonation and ensure the reliability of the charging grid.