CVE-2026-27649 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) found in the WebSocket backend of CTEK's Chargeportal, a platform used to manage electric vehicle charging stations. The backend uniquely associates sessions using charging station identifiers; however, it permits multiple endpoints to connect using the same session identifier. This design flaw results in predictable session identifiers and allows session hijacking or shadowing attacks. In such attacks, an adversary can establish a new connection using the same session ID, effectively displacing the legitimate charging station's connection. Consequently, the attacker receives backend commands intended for the legitimate station, potentially allowing unauthorized authentication as another user or device. Additionally, the vulnerability can be exploited to cause denial-of-service (DoS) conditions by overwhelming the backend with numerous valid session requests, disrupting normal operations. The vulnerability affects all versions of Chargeportal, with no patches currently available. The CVSS 3.1 base score is 7.3 (high severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. No known exploits have been reported in the wild to date.

This vulnerability poses significant risks to organizations operating electric vehicle charging infrastructure using CTEK Chargeportal. Unauthorized session hijacking can lead to attackers impersonating legitimate charging stations, potentially manipulating charging commands, disrupting billing processes, or causing operational confusion. The ability to displace legitimate connections can interrupt service availability, impacting end-users and damaging organizational reputation. The DoS potential could degrade or halt charging station management services, affecting large-scale deployments and critical infrastructure. Confidentiality and integrity of communication between charging stations and backend systems are compromised, increasing the risk of data leakage or malicious command injection. Given the growing adoption of EV infrastructure globally, exploitation could have widespread operational and financial consequences, especially for utilities, fleet operators, and public charging networks.

To mitigate this vulnerability, organizations should implement the following specific measures: 1) Enforce unique and non-predictable session identifiers that cannot be reused or shadowed by multiple endpoints. 2) Implement strict session management policies that invalidate previous sessions upon new connections using the same identifier. 3) Introduce mutual authentication mechanisms between charging stations and backend systems to prevent unauthorized connections. 4) Monitor WebSocket connections for abnormal session reuse or rapid connection attempts indicative of DoS attacks. 5) Apply network-level protections such as rate limiting and IP filtering to reduce the risk of flooding attacks. 6) Coordinate with CTEK for timely patch deployment once available and consider temporary compensating controls such as isolating vulnerable components or restricting access to trusted networks. 7) Conduct regular security assessments and penetration testing focused on session management and WebSocket communication channels.