CVE-2025-54816 EVMAPA CVE debrief

Who should care

EVMAPA operators, charging-station maintainers, OT/ICS security teams, network administrators managing WebSocket or OCPP connectivity, and incident responders responsible for externally reachable industrial endpoints.

Technical summary

The source advisory assigns CVSS 3.1 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L). CISA’s remediation note says some charging stations do not allow changes to the authorization key using OCPP, that operators may connect stations using WebSocket Secure (WSS), and that EVMAPA connects stations it supplies via its own VPN. For OCPP 2.x and newer stations, EVMAPA plans to implement BASIC authorization control.

Defensive priority

Immediate. This is a network-reachable, no-auth issue with high confidentiality and integrity impact. Even though the supplied enrichment does not mark it as KEV, exposed systems should be validated and contained as a priority.

Recommended defensive actions

• Identify whether any EVMAPA charging stations expose the affected WebSocket or OCPP interface.
• Enforce authentication and authorization on all WebSocket endpoints; do not rely on network placement alone.
• Prefer WSS and restrict access with VPN, allowlists, and OT/ICS network segmentation.
• Apply vendor guidance and monitor for unauthorized connection attempts or unexpected control actions.
• Track EVMAPA updates for BASIC authorization control on OCPP 2.x and newer stations, then retest after upgrades.

Evidence notes

All substantive claims in this debrief come from the supplied CISA CSAF advisory (ICSA-26-022-08 / CVE-2025-54816) and its listed references. The advisory’s initial publication and modified dates are both 2026-01-22T07:00:00Z, matching the supplied CVE timeline. The source explicitly describes unauthenticated WebSocket access, includes a CVSS 3.1 vector of 9.4, and links CISA ICS defensive guidance plus CWE-306 and CVSS references. The supplied enrichment does not indicate KEV inclusion.

Official resources