Mobility46 WebSocket Authentication Vulnerability Allowing Unauthorized Control of Charging Stations

A vulnerability exists in the WebSocket endpoints of Mobility46's EV charging management platform, all versions. The issue stems from a lack of proper authentication, which allows attackers to impersonate charging stations and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known charging station identifier and issue or receive commands as if they were a legitimate charger. This vulnerability could lead to unauthorized control over charging infrastructure, privilege escalation, and corruption of charging network data reported to the backend.

Impact

Exploitation of this vulnerability could result in unauthorized administrative control over affected charging stations, allowing for manipulation of OCPP commands and disruption of charging services. Additionally, it could lead to a denial-of-service condition on the charging network.

Remediation

Mobility46 has not responded to CISA's request for coordination regarding this vulnerability. For more information, contact Mobility46 through their contact page.