PatchSiren cyber security CVE debrief
CVE-2025-55705 EVMAPA CVE debrief
CVE-2025-55705 is a high-severity EVMAPA vulnerability in which the backend can accept multiple simultaneous connections using the same charging station ID (CBID). According to CISA’s advisory, weak session management and expiration control can let an attacker reuse a valid station ID to establish concurrent sessions, creating risk of unauthorized access, inconsistent data, and manipulation of charging sessions. EVMAPA told CISA the issue was resolved by preventing simultaneous connections with the same CBID.
- Vendor
- EVMAPA
- Product
- Unknown
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-22
- Original CVE updated
- 2026-01-22
- Advisory published
- 2026-01-22
- Advisory updated
- 2026-01-22
Who should care
EVMAPA operators, EV charging backend administrators, OT/security teams, and defenders responsible for charging session integrity, authentication, and backend access control.
Technical summary
The advisory describes a session-handling flaw: the system permits more than one active backend connection for the same charging station identifier. Because the backend does not sufficiently enforce uniqueness and expiration for these sessions, a valid CBID can be reused to open concurrent sessions. The documented impact is unauthorized access, data inconsistency, and possible manipulation of charging sessions. The supplied references also include CWE-613, which aligns with the described session-expiration weakness.
Defensive priority
High. The issue is network-reachable and requires no user interaction in the provided CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), with the advisory rating it 7.3 High. Prioritize remediation in environments where charging-session integrity or backend authorization is operationally critical.
Recommended defensive actions
- Confirm the EVMAPA fix is deployed and that the backend rejects simultaneous connections for the same CBID.
- Review authentication and session-binding logic so each charging station ID maps to only one valid backend session at a time.
- Add monitoring for duplicate CBID usage, concurrent session attempts, and unexpected session churn.
- Enforce session expiration, revocation, and timeout controls for charging-station connections.
- Audit logs for signs of repeated CBID reuse or inconsistent charging-session state.
- Apply defense-in-depth and segmentation practices from CISA’s ICS guidance where applicable.
Evidence notes
All material here is derived from the supplied CISA CSAF advisory and its references. The advisory states that multiple simultaneous connections with the same charging station ID can cause unauthorized access, data inconsistency, or manipulation of charging sessions, and that EVMAPA resolved the issue by disallowing simultaneous connections with the same CBID. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, matching the published 7.3 High severity.
Official resources
-
CVE-2025-55705 CVE record
CVE.org
-
CVE-2025-55705 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-01-22 (ICSA-26-022-08). The source advisory indicates EVMAPA had already resolved the issue and that simultaneous connections with the same CBID are no longer allowed. No Known Exploited Vulnerabilities (