CVE-2026-28204 CTEK CVE debrief

Who should care

Operators and administrators of CTEK Chargeportal deployments, EV charging station owners, OT/ICS security teams, and SOC staff who manage externally reachable asset identifiers or mapping integrations.

Technical summary

The advisory states that charging station authentication identifiers are publicly accessible via web-based mapping platforms. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5). While the corpus does not describe active exploitation, public exposure of identifiers can aid asset discovery and increase the risk of follow-on unauthorized access attempts.

Defensive priority

Medium

Recommended defensive actions

• Inventory all Chargeportal deployments and confirm whether station identifiers are exposed through public mapping services.
• Restrict or remove public exposure of authentication identifiers and review any integrations with web-based mapping platforms.
• Apply CISA ICS recommended practices, including least privilege, segmentation, and defense in depth.
• Work with CTEK support on remediation and migration planning because the product is slated for sunset in April 2026.
• Monitor for unusual access to station-management systems and validate that only intended identifiers are published externally.

Evidence notes

Grounded in CISA's CSAF advisory ICSA-26-078-06 and its linked CVE record. The advisory names the issue, states that charging station authentication identifiers are publicly accessible via web-based mapping platforms, provides the CVSS 3.1 vector 6.5, and notes CTEK's April 2026 sunset plan. No KEV entry is present in the supplied data.

Official resources