CVE-2026-25711 Unknown Vendor CVE debrief

Who should care

Operators and administrators of Chargemap-connected charging infrastructure, backend and application security teams, and incident responders who monitor WebSocket session binding, duplicate connection behavior, or unexplained command routing changes.

Technical summary

The advisory says the backend uses charging-station identifiers as unique session keys, but it accepts more than one endpoint for the same identifier. Because the identifier appears predictable and reusable, a later connection can displace the original session and inherit backend traffic intended for the legitimate station. The reported impact includes session hijacking or shadowing, unauthorized access as another user, and service degradation or denial of service when an attacker floods the backend with valid session requests. The source lists CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L for a 7.3 HIGH score.

Defensive priority

High. This is network-reachable, requires no privileges or user interaction, and can affect confidentiality, integrity, and availability through session confusion and duplicate-session takeover.

Recommended defensive actions

• Review WebSocket session binding so each backend session is tied to a single, unguessable, per-connection token rather than a predictable station identifier.
• Reject or immediately invalidate duplicate connections for the same logical station unless a deliberate, authenticated handoff is intended and logged.
• Add server-side authorization checks before routing commands to any station session; do not trust a client-supplied identifier alone.
• Monitor for duplicate session attempts, rapid reconnects, unexpected station shadowing, and command delivery to newly connected endpoints.
• Rate-limit and alert on bursts of valid session creation or reconnection attempts that could indicate flooding or session takeover.
• Segregate and log session establishment, replacement, and command-dispatch events to support detection and incident response.
• Follow vendor and CISA guidance, and check for an updated Chargemap fix or coordination notice before deploying any workaround in production.

Evidence notes

The source CSAF for ICSA-26-057-05 states that the WebSocket backend uses charging station identifiers to uniquely associate sessions, but multiple endpoints can connect using the same session identifier. It further states that this can cause session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. The advisory also says the issue may allow unauthorized users to authenticate as other users or enable denial of service by overwhelming the backend with valid session requests. The provided metadata lists CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L with a 7.3 HIGH score. CISA notes that Chargemap did not respond to its coordination request. Publication and modification dates in the supplied record are 2026-02-26T07:00:00Z.

Official resources