PatchSiren cyber security CVE debrief
CVE-2026-25192 CTEK CVE debrief
CVE-2026-25192 is a critical authentication weakness in CTEK Chargeportal's WebSocket/OCPP interface. According to the CISA advisory, an unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging-station identifier, then issue or receive OCPP commands as if they were a legitimate charger. The result can include unauthorized station impersonation, privilege escalation, control of charging infrastructure, and corruption of charging-network data reported to the backend.
- Vendor
- CTEK
- Product
- Chargeportal
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-19
- Original CVE updated
- 2026-03-19
- Advisory published
- 2026-03-19
- Advisory updated
- 2026-03-19
Who should care
Operators of CTEK Chargeportal deployments, EV charging network administrators, OT/industrial security teams, and anyone responsible for backend systems that trust OCPP charger identity or station telemetry.
Technical summary
The advisory describes a lack of proper authentication on WebSocket endpoints used for OCPP communications. Because the endpoint accepts connections without required authentication, an attacker who knows or can discover a station identifier may impersonate that charging station and interact with backend OCPP flows as though they were authorized. This can affect command integrity, station identity assurance, and the reliability of data sent to the backend. The provided CVSS v3.1 vector is 9.4/Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating network reachability, no privileges required, and high impact to confidentiality and integrity.
Defensive priority
Immediate. Treat as a high-risk exposure on any reachable deployment until authentication is enforced or the product is retired.
Recommended defensive actions
- Restrict network access to the OCPP WebSocket endpoint so only trusted management networks can reach it.
- Validate whether station identifiers are predictable or discoverable and rotate or harden any exposed identifiers where possible.
- Review backend logs for unexpected charger sessions, duplicate station identities, unusual OCPP command patterns, or data inconsistencies.
- Apply vendor guidance from CTEK and plan for the announced product sunset in April 2026.
- If Chargeportal must remain in service temporarily, place compensating controls around authentication, segmentation, and monitoring for charger/backend communications.
- Use CISA ICS recommended practices and defense-in-depth guidance to reduce exposure of industrial and charging infrastructure systems.
Evidence notes
The debrief is based on the CISA CSAF advisory ICSA-26-078-06 and the linked official references. The advisory explicitly states that WebSocket endpoints lack proper authentication and that an unauthenticated attacker can impersonate a charging station via the OCPP WebSocket endpoint. The provided source also includes an April 2026 sunset notice from CTEK, which affects remediation planning. Vendor metadata in the intake is marked low confidence, so the product name from the advisory is treated as authoritative.
Official resources
-
CVE-2026-25192 CVE record
CVE.org
-
CVE-2026-25192 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-03-19 as ICSA-26-078-06; the advisory revision history shows initial publication only.