CVE-2026-31904 CTEK CVE debrief

Who should care

Operators of CTEK Chargeportal deployments, EV charging infrastructure administrators, OT/security teams, and incident responders responsible for internet-facing or remotely reachable charger-management services.

Technical summary

The supplied CISA CSAF advisory describes a missing authentication rate limit on a WebSocket API. That aligns with a brute-force/rate-limiting weakness and is consistent with CWE-307 in the source references. The published CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-reachable issue with no privileges required and high availability impact. The source also includes SSVCv2/E:N/A:Y/2026-03-18T05:00:00.000000Z. Remediation guidance in the advisory notes that CTEK will be sunsetting the product in April 2026 and directs customers to CTEK support.

Defensive priority

High. The issue is network-reachable, requires no prior privileges, and can affect availability of charger telemetry and related operations. For exposed deployments, prioritize access restriction, monitoring, and migration/retirement planning ahead of the April 2026 sunset noted by CTEK.

Recommended defensive actions

• Restrict access to the WebSocket interface to trusted networks, VPNs, or administrative jump hosts; avoid public exposure where possible.
• Implement or enforce request throttling and authentication-rate controls at a gateway, proxy, or other front-end control if the product itself cannot do so.
• Monitor for excessive authentication attempts, repeated failures, telemetry suppression, or unexpected routing anomalies.
• Follow CISA industrial control system defense-in-depth and recommended-practices guidance for segmentation, access control, and monitoring.
• Contact CTEK support and track the product sunset timeline noted in the advisory so you can plan migration or retirement before April 2026.
• Validate credentials, account controls, and alerting for any deployments that must remain online until replacement is complete.

Evidence notes

This debrief is based on the supplied CISA CSAF advisory ICSA-26-078-06 and its linked references. The advisory text states that the WebSocket Application Programming Interface lacks restrictions on the number of authentication requests, enabling denial-of-service via telemetry suppression/mis-routing or brute-force attempts. The advisory’s CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and the revision history shows Initial Publication on 2026-03-19. The vendor normalization in the prompt is low-confidence; the advisory itself identifies CTEK Chargeportal with product scope vers:all/*.

Official resources