CVE-2026-22552 is a critical security vulnerability identified in the ePower epower.ie product affecting all versions. The root cause is the absence of proper authentication mechanisms on the WebSocket endpoints that handle Open Charge Point Protocol (OCPP) communications. OCPP is widely used for communication between electric vehicle (EV) charging stations and central management systems. Due to this lack of authentication, an attacker can connect to the OCPP WebSocket endpoint by using a known or discovered charging station identifier without any credentials or user interaction. Once connected, the attacker can impersonate the charging station, issuing commands or receiving data as if they were the legitimate device. This unauthorized access can lead to privilege escalation, allowing attackers to manipulate charging sessions, disrupt operations, or corrupt the data reported to the backend systems. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and has a CVSS v3.1 base score of 9.4, indicating critical severity. The attack vector is network-based with no required privileges or user interaction, making exploitation straightforward if the attacker can reach the WebSocket endpoint. Although no patches or fixes have been released yet, the vulnerability demands urgent attention due to the critical role of EV charging infrastructure in energy and transportation sectors.

The impact of CVE-2026-22552 is significant for organizations operating or managing EV charging infrastructure using the ePower epower.ie platform. Unauthorized control over charging stations can lead to multiple adverse outcomes: attackers could manipulate charging sessions to cause financial losses, disrupt service availability, or damage hardware by issuing improper commands. Data integrity is at risk as attackers can corrupt or falsify charging data sent to backend systems, undermining billing accuracy and operational analytics. Confidentiality is also compromised since attackers can intercept or inject OCPP messages, potentially exposing sensitive operational details. The disruption of charging infrastructure could have cascading effects on electric vehicle users, fleet operators, and energy providers, especially in regions heavily reliant on EV technology. Given the criticality of the vulnerability and the lack of authentication, the threat landscape includes both opportunistic attackers and sophisticated adversaries aiming to disrupt critical infrastructure. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a high-risk target for future attacks.

In the absence of an official patch, organizations should implement several specific mitigations to reduce risk: 1) Restrict network access to the OCPP WebSocket endpoints by implementing strict firewall rules and network segmentation to limit exposure to trusted management networks only. 2) Deploy Web Application Firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) configured to detect anomalous WebSocket connections or unusual OCPP command patterns. 3) Enforce strong authentication and authorization at network boundaries, such as VPNs or zero-trust network access solutions, to ensure only authorized entities can reach the charging station endpoints. 4) Monitor logs and network traffic for signs of unauthorized connections or station impersonation attempts, including unexpected station identifiers or command sequences. 5) Engage with the vendor ePower for updates and patches, and plan for rapid deployment once available. 6) Consider implementing additional application-layer authentication or mutual TLS if supported by the infrastructure to add a layer of verification. 7) Educate operational teams about the risks and signs of exploitation to enable timely incident response. These targeted controls go beyond generic advice by focusing on network-level restrictions, monitoring, and compensating controls tailored to the unique characteristics of OCPP and WebSocket communications.