PatchSiren cyber security CVE debrief
CVE-2026-25851 Chargemap CVE debrief
CVE-2026-25851 is a critical authentication-bypass issue affecting Chargemap's OCPP WebSocket interface. According to the CISA advisory, an attacker who knows or can discover a charging-station identifier can connect without authenticating, impersonate a legitimate charger, and send or receive OCPP commands. The practical impact is unauthorized control of charging infrastructure, privilege escalation within the charging workflow, and corruption of operational data reported to the backend.
- Vendor
- Chargemap
- Product
- Unknown
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
EV charging operators using Chargemap, OT/ICS security teams, fleet and facilities teams managing charging infrastructure, network and IAM administrators, and SOC/IR teams responsible for monitoring charger-to-backend traffic.
Technical summary
The advisory describes WebSocket endpoints that do not enforce proper authentication. For OCPP traffic, that means an unauthenticated client can attach to the backend-facing endpoint with a known or discovered station identifier and behave like a trusted charging station. Because the trust boundary is broken at the connection layer, the attacker may be able to issue or receive OCPP commands as the charger, which can alter charging-state records, disrupt operations, and degrade the integrity of backend telemetry and control data.
Defensive priority
Critical
Recommended defensive actions
- Inventory all Chargemap-connected charging stations and confirm whether any OCPP WebSocket endpoints are reachable from untrusted networks.
- Restrict access to charging backends with allowlisting, VPN, private connectivity, or other network controls that prevent direct unauthenticated access.
- Verify that each station uses strong per-device authentication and rotate or revoke credentials if exposure is suspected.
- Monitor for anomalous station identifiers, unexpected OCPP sessions, unusual command sequences, and data mismatches between chargers and backend records.
- Treat the exposure as unresolved until you have verified a vendor fix or compensating control; the advisory points to vendor contact rather than a published patch.
- Follow CISA's linked industrial-control-systems defensive guidance for segmentation, defense in depth, and monitoring practices.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-057-05, published and modified on 2026-02-26 UTC. The source text states that WebSocket endpoints lack proper authentication, allowing unauthorized station impersonation and manipulation of backend data. The advisory assigns CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L (9.4, Critical) and includes an SSVCv2 timestamp of 2026-02-25T07:00:00Z. The remediation section says Chargemap did not respond to CISA's coordination request and directs readers to the vendor support page.
Official resources
-
CVE-2026-25851 CVE record
CVE.org
-
CVE-2026-25851 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-057-05 for CVE-2026-25851 on 2026-02-26 UTC. The source advisory notes that Chargemap did not respond to CISA's coordination request.