PatchSiren cyber security CVE debrief
CVE-2026-22552 Unknown Vendor CVE debrief
CVE-2026-22552 affects ePower epower.ie WebSocket endpoints used for OCPP communications. CISA says the endpoints lack proper authentication, allowing an unauthenticated attacker with a known or discovered charging-station identifier to impersonate a charger, send or receive OCPP commands, and alter backend-reported data. Because the issue exposes a network-reachable control path without authentication, defenders should treat it as a critical access-control and integrity risk for charging infrastructure.
- Vendor
- Unknown Vendor
- Product
- ePower epower.ie vers:all/*
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-03
- Original CVE updated
- 2026-03-03
- Advisory published
- 2026-03-03
- Advisory updated
- 2026-03-03
Who should care
Operators and integrators using ePower epower.ie, EV charging network administrators, OT/ICS defenders, and SOC teams responsible for exposed OCPP WebSocket services.
Technical summary
The advisory describes missing authentication on WebSocket endpoints that handle OCPP traffic. An attacker who can reach the endpoint may connect using a charging-station identifier and then act as if they were a legitimate charger, enabling station impersonation and unauthorized command exchange with the backend. The stated impact includes privilege escalation, unauthorized control of charging infrastructure, and corruption of network data reported to the backend.
Defensive priority
Immediate. Restrict exposure of the OCPP WebSocket endpoint, enforce strong authentication and authorization, and monitor for unauthorized station sessions or backend anomalies. CISA’s advisory also notes that ePower did not respond to coordination requests, so teams should rely on compensating controls and vendor contact channels until product-specific guidance is available.
Recommended defensive actions
- Limit OCPP WebSocket access to trusted management networks, VPNs, or other tightly controlled paths.
- Require strong authentication and per-station authorization before allowing WebSocket/OCPP sessions.
- Review charging-station identifiers and session handling for unexpected or duplicated identities.
- Log and alert on new WebSocket connections, unusual command patterns, and backend data anomalies that could indicate station impersonation.
- Apply ICS defense-in-depth practices such as segmentation, least privilege, and restrictive network ACLs.
- Follow CISA ICS recommended practices and contact ePower support for product-specific remediation guidance.
Evidence notes
Primary facts come from the CISA CSAF advisory for ICSA-26-062-07/CVE-2026-22552, published 2026-03-03. The source states that WebSocket endpoints lack proper authentication and that an unauthenticated attacker can use a known or discovered charging-station identifier to impersonate a charger and manipulate OCPP traffic. The same source records that ePower did not respond to CISA’s coordination request and includes general ICS defensive references rather than a vendor fix.
Official resources
-
CVE-2026-22552 CVE record
CVE.org
-
CVE-2026-22552 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICS Advisory ICSA-26-062-07 on 2026-03-03, which is also the CVE publication date supplied in the source corpus. The source advisory indicates that ePower did not respond to CISA’s coordination request. No test