CTEK Chargeportal WebSocket Authentication Vulnerability Allowing Unauthorized Control of Charging Stations
Vulnerability
A vulnerability exists in the WebSocket endpoints of CTEK Chargeportal, where proper authentication mechanisms are lacking. This flaw enables unauthorized station impersonation and manipulation of data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier and issue or receive OCPP commands as if they were a legitimate charger. The absence of authentication could lead to privilege escalation, unauthorized control over charging infrastructure, and corruption of charging network data reported to the backend.
Impact
Exploitation of this vulnerability could allow unauthorized administrative control over affected charging stations or disrupt charging services, causing a denial-of-service effect.
Remediation
CTEK will be sunsetting this product in April 2026. For more information, contact CTEK support.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.