CVE-2026-25192 is a critical security vulnerability identified in all versions of the CTEK Chargeportal product, which is used to manage electric vehicle (EV) charging stations. The core issue is the absence of authentication on WebSocket endpoints that implement the Open Charge Point Protocol (OCPP). This protocol facilitates communication between charging stations and backend management systems. Because the WebSocket endpoints do not require authentication, an attacker can connect to these endpoints using either known or discovered charging station identifiers. Once connected, the attacker can impersonate a legitimate charging station, issuing commands or receiving data as if they were the authentic device. This unauthorized access enables privilege escalation and control over the charging infrastructure, including the ability to manipulate charging sessions, disrupt service, or corrupt data reported to the backend systems. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and has a CVSS v3.1 base score of 9.4, reflecting its critical nature. The attack vector is network-based with no need for privileges or user interaction, making exploitation relatively straightforward for remote attackers. Although no public exploits have been reported yet, the potential impact on EV charging networks and related critical infrastructure is substantial. The lack of authentication undermines the integrity and confidentiality of the charging network, potentially leading to operational disruptions and data integrity issues.

The impact of CVE-2026-25192 is severe for organizations operating EV charging infrastructure using CTEK Chargeportal. Unauthorized access to charging stations can lead to several consequences: attackers may manipulate charging sessions, causing financial losses or denial of service to legitimate users; they can corrupt or falsify data sent to backend systems, undermining billing accuracy and operational analytics; attackers could escalate privileges within the charging network, potentially pivoting to other connected systems; disruption of charging infrastructure could affect critical transportation services and damage organizational reputation. Given the increasing reliance on EV infrastructure globally, such attacks could have cascading effects on energy management and smart grid operations. The vulnerability’s ease of exploitation and the critical role of charging stations in modern transportation amplify the risk, making it a high-priority threat for energy providers, municipalities, and EV service operators.

To mitigate CVE-2026-25192, organizations should immediately implement network-level access controls to restrict WebSocket endpoint access to trusted sources only, such as via VPNs or IP whitelisting. Deploying Web Application Firewalls (WAFs) capable of inspecting WebSocket traffic can help detect and block unauthorized connection attempts. Since no patches are currently available, organizations should work with CTEK to prioritize development and deployment of authentication mechanisms on the WebSocket endpoints, such as mutual TLS or token-based authentication. Monitoring and logging WebSocket connections for anomalous identifiers or unusual command patterns can provide early detection of exploitation attempts. Segmentation of the charging network from other critical infrastructure reduces lateral movement risk. Additionally, organizations should review and harden OCPP configurations and consider implementing anomaly detection systems tailored to EV charging protocols. Regular security assessments and penetration testing focusing on the charging infrastructure are recommended to identify and remediate related weaknesses.