CVE-2026-25192 is a critical security vulnerability classified under CWE-306 (Missing Authentication for Critical Function) found in all versions of the CTEK Chargeportal product. The vulnerability arises because the WebSocket endpoints used for Open Charge Point Protocol (OCPP) communication do not enforce any authentication mechanisms. This design flaw allows an attacker to connect to the OCPP WebSocket endpoint by using a known or discovered charging station identifier without any credentials or user interaction. Once connected, the attacker can impersonate the charging station, issuing commands or receiving data as if they were the legitimate device. This unauthorized access can lead to privilege escalation within the charging network, enabling attackers to manipulate charging sessions, disrupt operations, or corrupt data reported to the backend systems. The vulnerability impacts confidentiality, integrity, and availability of the charging infrastructure. The CVSS v3.1 base score of 9.4 reflects the network attack vector, no required privileges, no user interaction, and high impact on confidentiality and integrity with a low impact on availability. Although no patches or mitigations have been published yet, the vulnerability represents a significant risk to electric vehicle charging networks relying on CTEK Chargeportal, especially given the critical role of charging infrastructure in energy and transportation sectors.

The impact of CVE-2026-25192 is substantial for organizations operating electric vehicle charging infrastructure using CTEK Chargeportal. Attackers exploiting this vulnerability can gain unauthorized control over charging stations, potentially disrupting charging services, causing denial of service to legitimate users, or manipulating billing and usage data. This can lead to financial losses, reputational damage, and operational downtime. Additionally, corrupted or manipulated data sent to backend systems can affect analytics, reporting, and grid management decisions, potentially impacting broader energy distribution networks. The lack of authentication also raises concerns about the integrity and trustworthiness of the charging infrastructure, which is critical for the growing electric vehicle ecosystem. Given the criticality of charging infrastructure in many countries' energy and transportation strategies, this vulnerability could have cascading effects on national energy security and smart grid reliability.

To mitigate CVE-2026-25192, organizations should immediately implement network-level controls such as restricting access to the OCPP WebSocket endpoints via firewalls or VPNs to trusted devices only. Monitoring and anomaly detection should be enhanced to identify unusual WebSocket connection attempts or unexpected OCPP commands. Where possible, implement additional authentication layers at the network or application level, such as mutual TLS or token-based authentication proxies, to compensate for the lack of native authentication. Organizations should engage with CTEK for updates and patches and plan for rapid deployment once available. Segmentation of the charging network from other critical infrastructure can limit the blast radius of an attack. Regular audits of charging station identifiers and their usage patterns can help detect unauthorized access attempts. Finally, consider deploying intrusion detection systems tailored to OCPP traffic to detect and respond to suspicious activities in real time.