PatchSiren cyber security CVE debrief
CVE-2026-27649 CTEK CVE debrief
CVE-2026-27649 is a high-severity issue in CTEK Chargeportal’s WebSocket backend. According to the CISA advisory, charging station identifiers are used to associate sessions, but multiple endpoints can connect with the same session identifier. That predictable behavior can let a later connection displace the legitimate station and receive backend commands meant for it. The advisory also says this can be used to impersonate other users or create denial-of-service conditions by flooding the backend with valid session requests.
- Vendor
- CTEK
- Product
- Chargeportal
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-19
- Original CVE updated
- 2026-03-19
- Advisory published
- 2026-03-19
- Advisory updated
- 2026-03-19
Who should care
CTEK Chargeportal operators, EV charging infrastructure administrators, OT/industrial defenders, and teams responsible for backend session handling or network exposure of Chargeportal services should treat this as relevant.
Technical summary
The advisory describes a session-management weakness in the WebSocket backend. Because charging-station identifiers are predictable and not uniquely enforced per connection, a second endpoint can join with the same session identifier. The newest connection shadows the original station and is then positioned to receive backend commands intended for that station. CISA’s supplied CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) indicates network reachability, no privileges, and potential impact to confidentiality, integrity, and availability. The source also notes a mitigation path: CTEK plans to sunset the product in April 2026 and directs customers to contact CTEK support.
Defensive priority
High. The issue is remotely reachable, requires no privileges, and can affect both command integrity and service availability. If Chargeportal is internet-exposed or broadly reachable inside an OT network, prioritize containment and vendor coordination.
Recommended defensive actions
- Contact CTEK support to confirm remediation options and the product sunset/migration timeline.
- Inventory all Chargeportal deployments and identify any exposed WebSocket endpoints.
- Restrict network access to the backend to only trusted management and station networks.
- Monitor for duplicate or rapidly changing session identifiers and unexpected session displacement.
- Review logs for unusual connection churn, repeated valid session requests, or commands delivered to unexpected stations.
- Segment charging infrastructure from general-purpose networks to reduce lateral access.
- Apply CISA ICS defense-in-depth and recommended-practices guidance referenced in the advisory.
- Plan migration away from Chargeportal if it is being sunset in April 2026.
Evidence notes
All core claims come from the supplied CISA CSAF advisory and its embedded product notes. The advisory explicitly states that the WebSocket backend accepts multiple endpoints using the same charging-station session identifier, enabling session hijacking/shadowing and possible denial of service. The CVSS vector is taken from the source metadata. The remediation note about product sunset and contacting CTEK support is also from the supplied corpus. The enrichment data indicates no KEV listing and no ransomware campaign association in the provided source set.
Official resources
-
CVE-2026-27649 CVE record
CVE.org
-
CVE-2026-27649 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Initial public advisory published by CISA on 2026-03-19 as ICSA-26-078-06. The supplied corpus does not indicate KEV inclusion or ransomware-campaign use.