The absence of authentication on OCPP WebSocket endpoints enables unauthenticated attackers to hijack charging station identities and compromise the integrity of the charging network.

This vulnerability stems from a lack of proper authentication on WebSocket endpoints utilized by the Open Charge Point Protocol (OCPP). An unauthenticated attacker can establish a connection using a known station identifier, allowing them to impersonate a legitimate charger and interact with the backend system.

Successful exploitation could result in unauthorized control of the charging infrastructure, potential service outages, and the corruption of billing or usage data. With a CVSS score of 9.4, the risk to the business includes significant operational disruption and a loss of customer trust in the security of the charging platform.

Immediate Action: Update the affected software to the latest version immediately to enable required authentication for all WebSocket communications.

Proactive Monitoring: Review backend logs for anomalous command patterns or station identifiers connecting from unauthorized geographic locations.

Compensating Controls: Deploy a Web Application Firewall (WAF) capable of inspecting WebSocket traffic and enforcing connection limits or IP-based filtering.

Public Exploit Available: false

Securing the communication channel between charging stations and the backend is critical for operational safety. Administrators should verify that all endpoints require strong authentication and consider implementing certificate-based authentication to prevent station impersonation. Apply the recommended vendor patches without delay.