A critical vulnerability in OCPP WebSocket endpoints allows unauthenticated attackers to impersonate charging stations, potentially leading to unauthorized control of charging infrastructure.

This flaw involves a lack of authentication mechanisms on WebSocket endpoints. An unauthenticated attacker can connect to the OCPP endpoint using a discovered charging station identifier to issue or receive commands as a legitimate charger.

A successful exploit allows for complete unauthorized control over electric vehicle charging infrastructure. This could lead to privilege escalation, corruption of charging network data reported to the backend, and significant reputational damage. The CVSS score of 9.4 reflects the critical nature of this flaw and its potential to disrupt essential energy infrastructure.

Immediate Action: Update the affected software to the latest version provided by the vendor to implement mandatory authentication for all WebSocket connections.

Proactive Monitoring: Review access logs for the OCPP WebSocket endpoint for any connections originating from unknown IP addresses or using duplicated station identifiers.

Compensating Controls: Implement network-level access control lists (ACLs) or a VPN to restrict access to the WebSocket endpoints to known, authorized charging station IP ranges.

Public Exploit Available: No

This vulnerability represents a significant risk to the integrity of charging networks. It is highly recommended that administrators apply the relevant security patches immediately. Failure to secure these endpoints could allow attackers to manipulate power delivery or compromise the entire backend management system.