CVE-2026-22552 is a critical security vulnerability identified in the ePower epower.ie product, specifically involving the Open Charge Point Protocol (OCPP) WebSocket endpoints. The root cause is the absence of proper authentication mechanisms on these WebSocket endpoints, which allows attackers to connect without credentials. An attacker can impersonate a legitimate charging station by using a known or discovered station identifier to establish a WebSocket connection. Once connected, the attacker can issue OCPP commands or receive commands intended for the legitimate charger, effectively gaining unauthorized control over the charging station's operations. This can lead to privilege escalation, unauthorized manipulation of charging sessions, and corruption or falsification of data sent to the backend systems that manage the charging network. The vulnerability affects all versions of epower.ie, indicating a systemic design flaw. The CVSS v3.1 score of 9.4 reflects the vulnerability's critical nature, with network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity, and low impact on availability. While no exploits have been reported in the wild yet, the potential for misuse in critical infrastructure environments is high, especially given the growing reliance on electric vehicle charging networks. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), highlighting the lack of authentication controls as the core issue. Without patches currently available, mitigation must focus on network-level controls and monitoring. This vulnerability poses a significant risk to the integrity and trustworthiness of EV charging infrastructure managed by ePower's epower.ie platform.

The impact of CVE-2026-22552 is substantial for organizations operating or managing electric vehicle (EV) charging infrastructure using the ePower epower.ie platform. Unauthorized access to OCPP WebSocket endpoints allows attackers to impersonate legitimate charging stations, leading to unauthorized control over charging operations. This can result in manipulation of charging sessions, such as starting or stopping charges, altering billing data, or disrupting service availability. Corruption of backend data compromises the integrity of the charging network's operational and billing records, potentially causing financial losses and undermining trust in the infrastructure. The vulnerability also enables privilege escalation without authentication, increasing the risk of broader network compromise if attackers pivot from charging stations to backend systems. Given the critical role of EV charging infrastructure in transportation and energy sectors, exploitation could have cascading effects on energy management and public services. The lack of authentication and ease of exploitation (no user interaction or privileges required) make this vulnerability highly exploitable. Organizations worldwide that rely on ePower's solutions face risks of operational disruption, reputational damage, regulatory penalties, and potential safety hazards if attackers manipulate charging infrastructure. The absence of known exploits in the wild currently limits immediate impact but does not diminish the urgency for mitigation.

To mitigate CVE-2026-22552, organizations should implement the following specific measures beyond generic advice: 1) Deploy network segmentation and firewall rules to restrict access to OCPP WebSocket endpoints only to trusted and authenticated devices or management systems. 2) Implement strong authentication mechanisms at the WebSocket layer, such as mutual TLS or token-based authentication, to ensure only authorized charging stations can connect. 3) Monitor WebSocket traffic for anomalous connections or commands, using intrusion detection systems tailored to OCPP protocol behaviors. 4) Maintain an accurate inventory of charging station identifiers and monitor for unauthorized use or duplication. 5) Work with ePower to obtain patches or updates as they become available, and apply them promptly. 6) Employ logging and alerting on all OCPP command activities to detect potential misuse early. 7) Conduct regular security assessments and penetration testing focused on the charging infrastructure's communication channels. 8) Consider deploying gateway devices that enforce authentication and protocol validation between charging stations and backend systems. 9) Educate operational staff on the risks of unauthorized access and establish incident response plans specific to charging infrastructure compromise. These targeted actions will help reduce the attack surface and detect or prevent exploitation of this vulnerability.