CVE-2026-28204 identifies a vulnerability in the CTEK Chargeportal product affecting all versions, where charging station authentication identifiers are publicly accessible via web-based mapping platforms. This vulnerability is classified under CWE-522, which involves exposure of sensitive information through insecure storage or transmission. The core issue is that authentication identifiers, which are critical for verifying legitimate access to charging stations, are inadvertently exposed to the public through mapping services that visualize charging station locations. This exposure occurs without requiring any authentication or user interaction, enabling remote attackers to obtain these identifiers easily. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), with partial impacts on confidentiality (C:L) and integrity (I:L), but no impact on availability (A:N). Although no exploits are currently known in the wild, the public availability of authentication identifiers could allow attackers to impersonate legitimate users or manipulate charging station operations, potentially leading to unauthorized usage or data tampering. The vulnerability affects all versions of the Chargeportal product, suggesting a systemic design or configuration issue. The lack of available patches at the time of publication indicates that organizations must rely on compensating controls until an official fix is released. The vulnerability was published on March 20, 2026, and assigned by ICS-CERT, highlighting its relevance to industrial control systems and critical infrastructure sectors.

The exposure of charging station authentication identifiers can have several impacts on organizations worldwide, especially those managing electric vehicle (EV) charging infrastructure. Confidentiality is compromised as sensitive authentication data is publicly accessible, potentially allowing unauthorized parties to identify and misuse charging stations. Integrity is also at risk because attackers could leverage these identifiers to impersonate legitimate users or manipulate charging station operations, leading to fraudulent charging sessions or tampering with usage data. While availability is not directly impacted, unauthorized access could indirectly affect service reliability or trust in the charging network. For organizations, this could result in financial losses due to unauthorized usage, reputational damage, and potential regulatory penalties for failing to protect sensitive information. The vulnerability is particularly concerning for critical infrastructure providers and municipalities that rely on Chargeportal for managing public charging stations. The lack of authentication or user interaction requirements lowers the barrier for exploitation, increasing the likelihood of opportunistic attacks. Although no known exploits exist yet, the public nature of the exposed data could facilitate reconnaissance and targeted attacks. Overall, the vulnerability poses a moderate but tangible risk to the confidentiality and integrity of EV charging infrastructure globally.

To mitigate CVE-2026-28204 effectively, organizations should implement the following specific measures: 1) Restrict public access to authentication identifiers by configuring web-based mapping platforms to exclude or obfuscate sensitive data fields related to authentication. 2) Employ strong access controls and authentication mechanisms on Chargeportal interfaces to ensure that only authorized users can view or manage authentication credentials. 3) Monitor network traffic and logs for unusual access patterns or attempts to retrieve authentication data from mapping services. 4) Coordinate with CTEK to obtain updates or patches as they become available and apply them promptly. 5) Consider deploying network segmentation to isolate charging station management systems from public-facing services. 6) Implement encryption for authentication identifiers both at rest and in transit to prevent unauthorized disclosure. 7) Conduct regular security assessments and penetration testing focused on information exposure risks within the EV charging infrastructure. 8) Educate staff and stakeholders about the risks of exposing sensitive authentication data and best practices for secure configuration. These targeted actions go beyond generic advice by focusing on controlling data exposure through mapping platforms and strengthening authentication controls specific to the Chargeportal environment.