PatchSiren cyber security CVE debrief
CVE-2026-29796 IGL-Technologies CVE debrief
CVE-2026-29796 is a critical authentication weakness in IGL-Technologies eParking.fi that can let an unauthenticated attacker connect to an OCPP WebSocket endpoint, impersonate a charging station, and manipulate backend-facing charger traffic. Because the endpoint accepts a known or discovered station identifier without proper authentication, the impact can include unauthorized control of charging infrastructure, privilege escalation, and corruption of network data reported to the backend. CISA published the advisory on 2026-03-19.
- Vendor
- IGL-Technologies
- Product
- eParking.fi
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-19
- Original CVE updated
- 2026-03-19
- Advisory published
- 2026-03-19
- Advisory updated
- 2026-03-19
Who should care
EV charging network operators, site administrators, OT/ICS security teams, SOC analysts monitoring charger backends, and organizations running IGL-Technologies eParking.fi OCPP deployments.
Technical summary
The advisory states that WebSocket endpoints lacked proper authentication controls. An attacker who knows or discovers a charging-station identifier can connect to the OCPP WebSocket endpoint without authentication and then issue or receive OCPP commands as though they were a legitimate charger. The reported impact is unauthorized station impersonation, backend data integrity loss, and control-plane abuse of charging infrastructure. CISA’s remediation notes also state that updated OCPP servers added stronger authentication, device-level whitelisting, rate limiting, and enhanced monitoring.
Defensive priority
High / critical priority. The issue is network-reachable, requires no authentication, and affects control and integrity of charging infrastructure. Prioritize any exposed OCPP WebSocket deployments first, especially where station identifiers may be known or enumerable.
Recommended defensive actions
- Apply the vendor-provided eParking.fi OCPP server updates and verify the strengthened authentication controls are enabled.
- Implement device-level whitelisting so only authorized charging units can connect to the OCPP service.
- Restrict network exposure of OCPP WebSocket endpoints to trusted management and charger networks only.
- Enable rate limiting and alerting for abnormal connection attempts or command patterns.
- Review backend logs for unexpected station identifiers, unusual charger impersonation, or malformed OCPP activity.
- Confirm whether your deployment uses the encrypted eParking OCPP server or IGL-Technologies' proprietary eTolppa protocol; the advisory states those are not impacted.
- Contact IGL-Technologies security via [email protected] if you need product-specific remediation guidance.
Evidence notes
The supplied CISA CSAF advisory for ICSA-26-078-07 / CVE-2026-29796 states that WebSocket endpoints lacked proper authentication, enabling unauthorized station impersonation and backend manipulation. It further states that an unauthenticated attacker can connect using a known or discovered charging-station identifier and issue or receive OCPP commands as a legitimate charger. The advisory was initially published on 2026-03-19 and includes a remediation section describing stronger authentication, device-level whitelisting, rate limiting, and monitoring. No KEV listing or exploit reporting was supplied in the source corpus.
Official resources
-
CVE-2026-29796 CVE record
CVE.org
-
CVE-2026-29796 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in CSAF advisory ICSA-26-078-07 on 2026-03-19. The source includes an SSVCv2 context string of E:N/A:Y with timestamp 2026-03-18T05:00:00.000000Z. No KEV entry was supplied.