CVE-2026-25851 is a critical security vulnerability identified in all versions of Chargemap's chargemap.com platform, specifically affecting its WebSocket endpoints that handle OCPP (Open Charge Point Protocol) communications between charging stations and backend systems. The root cause is the absence of proper authentication mechanisms on these WebSocket endpoints, classified under CWE-306 (Missing Authentication for Critical Function). This flaw allows an unauthenticated attacker to connect to the OCPP WebSocket endpoint by using a known or discovered charging station identifier, effectively impersonating a legitimate charging station. Once connected, the attacker can issue OCPP commands or receive commands and data as if they were the authentic charger. This unauthorized access can lead to privilege escalation, enabling attackers to control charging infrastructure operations, disrupt charging sessions, or corrupt the data reported to the backend systems. The vulnerability has a CVSS v3.1 score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating it is remotely exploitable over the network without any authentication or user interaction, with high impact on confidentiality and integrity and a low impact on availability. No patches or mitigations are currently published, and no known exploits have been reported in the wild as of the publication date. Given the critical role of EV charging infrastructure in energy and transportation sectors, this vulnerability poses a significant risk to operational reliability and data trustworthiness within affected environments.

The impact of CVE-2026-25851 on organizations worldwide is substantial, particularly for those operating or managing electric vehicle (EV) charging infrastructure using Chargemap's platform. Unauthorized access to charging stations can lead to several severe consequences: attackers could manipulate charging sessions, causing financial losses or service disruptions; they could escalate privileges to gain broader control over the charging network; and they could corrupt or falsify data reported to backend systems, undermining operational monitoring, billing accuracy, and regulatory compliance. This could also erode customer trust and damage brand reputation. In critical infrastructure contexts, such as public transportation hubs or commercial fleets, disruption or manipulation of charging services could have cascading effects on mobility and energy management. The lack of authentication means the attack surface is broad, and exploitation can be automated and performed remotely without user interaction, increasing the likelihood of attacks once the vulnerability is widely known. Although no exploits are currently reported, the criticality and ease of exploitation make this a high-risk threat that demands immediate attention.

To mitigate CVE-2026-25851, organizations should implement the following specific measures: 1) Immediately restrict access to the OCPP WebSocket endpoints by implementing strong authentication mechanisms, such as mutual TLS authentication or token-based authentication, to ensure only authorized charging stations can connect. 2) Employ network segmentation and firewall rules to limit WebSocket endpoint exposure to trusted networks and devices only. 3) Monitor WebSocket connections for anomalous behavior, such as unexpected station identifiers or unusual command patterns, using intrusion detection systems tailored for OCPP traffic. 4) Validate and sanitize all commands and data received from charging stations to prevent injection or manipulation attacks. 5) Coordinate with Chargemap for timely patches or updates once available and apply them promptly. 6) Conduct regular security assessments and penetration testing focused on the charging infrastructure communication channels. 7) Maintain detailed logging and audit trails of OCPP interactions to support incident response and forensic analysis. 8) Educate operational staff about the risks of unauthorized access and establish incident response plans specific to charging infrastructure compromise.