Primary

Context

CTEK Chargeportal WebSocket Session Hijacking Vulnerability

Vulnerability

A vulnerability in the WebSocket backend of CTEK Chargeportal allows multiple endpoints to connect using the same session identifier, leading to predictable session identifiers. This flaw enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and intercepts backend commands intended for that station. Additionally, this vulnerability could allow unauthorized users to authenticate as other users or enable a denial-of-service condition by overwhelming the backend with valid session requests.

Impact

Exploitation of this vulnerability could result in unauthorized administrative control over affected charging stations or disrupt charging services, causing a denial-of-service condition.

Remediation

CTEK will be sunsetting this product in April 2026. For more information, please contact CTEK support.

Added: Mar 20, 2026, 11:36 PM

Updated: Mar 20, 2026, 11:36 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.2

remediation

0.0

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.2

remediation

0.0

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CTEK Chargeportal WebSocket Session Hijacking Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating