Chargemap WebSocket Endpoint Authentication Vulnerability Allowing Unauthorized Station Impersonation
Vulnerability
A vulnerability exists in the WebSocket endpoints of Chargemap's OCPP implementation, where proper authentication mechanisms are lacking. This flaw enables unauthorized station impersonation, allowing attackers to connect to the WebSocket endpoint using a known or discovered charging station identifier. Once connected, they can issue or receive OCPP commands as if they were a legitimate charger. The absence of authentication could lead to privilege escalation, unauthorized control over charging infrastructure, and corruption of charging network data reported to the backend.
Impact
Exploitation of this vulnerability could result in unauthorized administrative control over affected charging stations, allowing for manipulation of OCPP commands and disruption of charging services. Additionally, it could lead to the corruption of charging network data sent to the backend.
Remediation
Chargemap did not respond to CISA's request for coordination. For more information, contact Chargemap through their support page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.