CVE-2026-31904 identifies a vulnerability in the CTEK Chargeportal product, specifically in its WebSocket Application Programming Interface (API). The core issue is the absence of any restrictions or rate limiting on the number of authentication requests that can be made. This design flaw allows an attacker to flood the authentication mechanism with excessive requests. The consequences are twofold: first, a denial-of-service (DoS) condition can be induced by overwhelming the system, which suppresses or misroutes legitimate charger telemetry data, effectively disrupting normal operations of the EV charging infrastructure managed by Chargeportal. Second, the lack of rate limiting facilitates brute-force attacks against authentication, increasing the risk of unauthorized access to the system. The vulnerability affects all versions of the Chargeportal product, indicating a systemic issue in its design. Exploitation requires no privileges and no user interaction, and can be performed remotely over the network, making it relatively easy to exploit. The vulnerability is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), highlighting the failure to implement proper controls on authentication request rates. The CVSS v3.1 base score of 7.5 reflects a high severity rating, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), but high availability impact (A:H). No patches or known exploits are currently reported, but the risk remains significant due to the critical role of Chargeportal in EV charging management.

The primary impact of this vulnerability is on the availability of the CTEK Chargeportal service. By exploiting the lack of rate limiting on authentication requests, attackers can launch denial-of-service attacks that disrupt the telemetry data flow from EV chargers, potentially causing operational outages or degraded service quality. This disruption can affect EV charging stations' ability to report status, usage, or faults, leading to reduced reliability and user dissatisfaction. Additionally, the vulnerability facilitates brute-force attacks on authentication, increasing the risk of unauthorized access to the Chargeportal management system. Unauthorized access could lead to further malicious activities, including manipulation of charging schedules, billing fraud, or sabotage of EV charging infrastructure. Given the critical nature of EV charging infrastructure in supporting electric vehicle adoption and energy management, widespread exploitation could have cascading effects on transportation and energy sectors. Organizations worldwide using CTEK Chargeportal are at risk of service interruptions and potential security breaches, impacting operational continuity and customer trust.

To mitigate this vulnerability effectively, organizations should implement strict rate limiting controls on the WebSocket authentication requests to prevent excessive attempts from any single source. This can be done by configuring network-level throttling or application-layer request limiting mechanisms. Monitoring and alerting systems should be enhanced to detect unusual spikes in authentication requests or telemetry disruptions, enabling rapid response to potential attacks. Employing Web Application Firewalls (WAFs) with custom rules to block or challenge suspicious traffic patterns can provide an additional layer of defense. Organizations should also enforce strong authentication policies, including account lockouts or progressive delays after failed attempts, to hinder brute-force attacks. Since no official patches are currently available, organizations should engage with CTEK for updates and apply security patches promptly once released. Network segmentation of the Chargeportal infrastructure and limiting exposure of the WebSocket API to trusted networks can reduce the attack surface. Finally, conducting regular security assessments and penetration testing focused on authentication mechanisms will help identify and remediate similar weaknesses proactively.