CVE-2026-28204 identifies a vulnerability in the CTEK Chargeportal product, where authentication identifiers for charging stations are publicly accessible via web-based mapping platforms. This exposure falls under CWE-522, which concerns the exposure of credentials or authentication tokens. The vulnerability affects all versions of the product and allows an attacker to obtain authentication identifiers without requiring any privileges or user interaction. The CVSS 3.1 score of 6.5 indicates a medium severity issue with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact primarily affects confidentiality and integrity, as attackers could potentially use the exposed identifiers to impersonate legitimate charging stations or users, manipulate charging sessions, or gain unauthorized access to the charging infrastructure. However, availability is not impacted. No patches or fixes are currently available, and no known exploits have been reported in the wild. The vulnerability arises from improper access control and information disclosure in the Chargeportal’s integration with web-based mapping platforms, which publicly expose sensitive authentication data. This flaw could be leveraged in targeted attacks against EV charging infrastructure, potentially undermining trust and operational security.

The exposure of charging station authentication identifiers can lead to unauthorized access and manipulation of EV charging sessions, potentially resulting in fraudulent usage, billing inaccuracies, or denial of service through resource exhaustion. Confidentiality is compromised as sensitive authentication data is publicly accessible, and integrity is at risk due to possible unauthorized modifications or impersonation. Although availability is not directly affected, operational disruptions could occur indirectly through misuse or targeted attacks. Organizations managing EV charging infrastructure may face financial losses, reputational damage, and increased operational risks. The vulnerability could also undermine user trust in EV charging services and slow adoption of electric vehicles. Given the widespread deployment of CTEK Chargeportal globally, especially in regions with advanced EV infrastructure, the impact could be significant if exploited at scale.

To mitigate this vulnerability, organizations should immediately audit and restrict access to authentication identifiers exposed via web-based mapping platforms, ensuring that such sensitive data is not publicly accessible. Implement network-level access controls and authentication mechanisms to protect charging station credentials. Employ encryption and tokenization techniques to safeguard authentication data both at rest and in transit. Monitor logs and network traffic for unusual access patterns or attempts to use exposed identifiers. Engage with CTEK to obtain updates or patches once available and apply them promptly. Consider isolating the Chargeportal system from public-facing services or employing API gateways with strict access policies. Additionally, conduct regular security assessments and penetration testing focused on information disclosure risks. Educate operational staff about the risks of credential exposure and establish incident response plans tailored to EV infrastructure threats.