PatchSiren cyber security CVE debrief

CVE-2026-32663 IGL-Technologies CVE debrief

CISA’s CSAF advisory describes a session-management weakness in IGL-Technologies eParking.fi where charging-station identifiers are used to associate WebSocket sessions, but multiple endpoints can connect with the same session identifier. In practice, that makes session assignment predictable and can let a later connection displace the legitimate station, causing commands to be delivered to the wrong endpoint. The advisory says this can lead to session hijacking or shadowing and may also be used to create denial of service by flooding the backend with valid session requests. IGL-Technologies lists mitigations that include stronger authentication, device-level whitelisting, rate limiting, and enhanced monitoring; the advisory also states that encrypted eParking OCPP deployments and the proprietary eTolppa protocol are not impacted.

Vendor: IGL-Technologies
Product: eParking.fi
CVSS: HIGH 7.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-03-19
Original CVE updated: 2026-03-19
Advisory published: 2026-03-19
Advisory updated: 2026-03-19

Who should care

Operators of IGL-Technologies eParking.fi deployments, EV charging infrastructure administrators, OT/ICS security teams, and anyone responsible for WebSocket-based charging-station backends and access control.

Technical summary

According to the CISA CSAF advisory, the WebSocket backend uses charging-station identifiers as session identifiers and does not prevent multiple endpoints from connecting with the same identifier. Because the identifiers are predictable, the most recent connection can displace the legitimate charging station and receive backend commands intended for that station. The advisory characterizes this as session hijacking or shadowing and also notes denial-of-service potential through large numbers of valid session requests. Mitigations listed by IGL-Technologies include stronger authentication, device-level whitelisting, rate limiting, and enhanced monitoring; the source also says encrypted eParking OCPP deployments and the proprietary eTolppa protocol are not impacted.

Defensive priority

High. The issue affects session integrity and can disrupt command delivery or availability in charging infrastructure, so exposed deployments should be reviewed and mitigated promptly.

Recommended defensive actions

Confirm whether any eParking.fi OCPP servers are deployed in the vulnerable WebSocket/session configuration.
Apply the mitigations listed by IGL-Technologies: stronger authentication, device-level whitelisting, rate limiting, and enhanced monitoring.
Prefer the encrypted deployment or the proprietary eTolppa protocol where applicable, since the advisory states those are not impacted.
Alert on duplicate, reused, or abnormal charging-station session identifiers and investigate any unexpected session displacement.
Restrict which charging units are permitted to connect and review backend logs for bursts of valid session requests.
Contact IGL-Technologies security at [email protected] for product-specific remediation guidance.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-26-078-07 for CVE-2026-32663, initially published on 2026-03-19. The supplied source text states that the WebSocket backend permits multiple endpoints to use the same session identifier, enabling predictable sessions, shadowing/hijacking, and potential denial of service. The input metadata marks vendor attribution as low-confidence/needs review, so the product label should be treated cautiously even though the advisory names IGL-Technologies eParking.fi. No exploit code, weaponized reproduction, or public campaign attribution is included in the supplied corpus.

Official resources

CISA’s CSAF advisory for ICSA-26-078-07 was initially published on 2026-03-19, which matches the CVE publish date supplied here. The advisory text also includes an SSVCv2 timestamp of 2026-03-18T05:00:00.000000Z.