Critical authentication bypass vulnerabilities in OCPP WebSocket endpoints allow unauthenticated attackers to impersonate EV charging stations and manipulate infrastructure data.

The software fails to implement proper authentication mechanisms for WebSocket connections. An unauthenticated attacker can use a discovered charging station identifier to connect to the OCPP endpoint and issue unauthorized commands or receive sensitive backend data.

This vulnerability poses a severe threat to electric vehicle (EV) charging networks, potentially leading to unauthorized control of physical infrastructure and financial fraud through data manipulation. The CVSS score of 9.4 reflects the critical risk of privilege escalation and the potential for large-scale disruption of charging services and corruption of billing reporting.

Immediate Action: Update the affected charging management software to the latest version and ensure that WebSocket authentication is strictly enforced for all station identifiers.

Proactive Monitoring: Monitor network traffic for unauthorized WebSocket connections and audit charging station logs for anomalous command patterns or unexpected disconnection/reconnection events.

Compensating Controls: Deploy network-level access control lists (ACLs) or VPNs to restrict access to the OCPP WebSocket endpoints to known, authorized IP addresses of charging stations.

Public Exploit Available: false

Organizations operating EV charging networks must prioritize the remediation of this flaw due to the potential for physical infrastructure manipulation. Immediate application of vendor-provided patches and the implementation of strong authentication for all OCPP communications are mandatory to maintain system integrity.