CVE-2026-27649 affects the CTEK Chargeportal product, which manages electric vehicle charging stations via a WebSocket backend. The vulnerability arises because the backend uses charging station identifiers as session identifiers but allows multiple endpoints to connect using the same session ID. This design flaw results in predictable session identifiers and a lack of proper session uniqueness enforcement. Consequently, an attacker can connect using a known or guessed session ID, effectively hijacking or shadowing the legitimate charging station's session. The hijacker receives backend commands intended for the legitimate station, enabling unauthorized command execution or data interception. Additionally, an attacker can flood the backend with multiple valid session requests, causing denial-of-service conditions by displacing legitimate connections or overwhelming system resources. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 7.3 (high), reflecting network attack vector, low attack complexity, no privileges required, and impacts on confidentiality, integrity, and availability. No patches or known exploits are currently reported, but the vulnerability represents a significant risk to operational continuity and security of charging infrastructure managed by Chargeportal.

The vulnerability can have severe impacts on organizations operating electric vehicle charging infrastructure using CTEK Chargeportal. Unauthorized session hijacking allows attackers to impersonate legitimate charging stations, potentially manipulating charging sessions, disrupting billing or usage data, or interfering with operational commands. This compromises confidentiality and integrity of charging operations. The ability to displace legitimate connections or flood the backend with session requests can cause denial-of-service, leading to unavailability of charging services and operational downtime. Such disruptions can affect customer satisfaction, revenue, and trust in service providers. Additionally, attackers gaining unauthorized access could use the platform as a pivot point for further attacks within the network. Given the critical role of EV charging infrastructure in transportation and energy sectors, this vulnerability poses risks to infrastructure reliability and security, especially in regions with high EV adoption.

To mitigate CVE-2026-27649, organizations should implement the following specific measures: 1) Enforce unique session identifiers per endpoint and disallow multiple simultaneous connections using the same session ID to prevent session shadowing. 2) Implement strong, unpredictable session ID generation mechanisms to eliminate predictability and reduce hijacking risk. 3) Introduce authentication and authorization controls on WebSocket connections to verify endpoint legitimacy before establishing sessions. 4) Monitor and rate-limit session connection attempts to detect and block flooding or denial-of-service attempts. 5) Employ network segmentation and firewall rules to restrict access to the Chargeportal backend only to trusted sources. 6) Work with CTEK to obtain patches or updates addressing this vulnerability once available. 7) Conduct regular security assessments and penetration testing focused on session management and WebSocket security. 8) Maintain detailed logging and alerting on session anomalies to enable rapid incident response.