---
title: "Critical Flaws in Chargemap EV Chargers Expose Global Energy Infrastructure"
short_title: "Critical vulnerabilities in Chargemap EV chargers"
description: "Four critical vulnerabilities in Chargemap EV charging stations (CVE-2026-25851, CVE-2026-20792) enable unauthorized control and DoS attacks. Learn mitigation steps now."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [ev chargers, cve-2026, cybersecurity, energy sector, vulnerability]
score: 0.92
cve_ids: [CVE-2026-25851, CVE-2026-20792, CVE-2026-25711, CVE-2026-20791]
---
TL;DR
Four critical vulnerabilities in Chargemap EV charging stations (CVE-2026-25851, CVE-2026-20792, CVE-2026-25711, and CVE-2026-20791) could allow attackers to gain unauthorized administrative control or disrupt services via denial-of-service (DoS) attacks. These flaws affect all versions of Chargemap’s platform, posing risks to global energy and transportation infrastructure. No patches are currently available.
---
Main Content
Introduction
The energy and transportation sectors face a growing cybersecurity threat as critical vulnerabilities in Chargemap EV charging stations come to light. Discovered by researchers Khaled Sarieddine and Mohammad Ali Sayed, these flaws expose charging infrastructure to unauthorized access, data manipulation, and service disruptions. With no vendor response from Chargemap, organizations must act swiftly to mitigate risks and protect their networks.
---
Key Points
- Four critical vulnerabilities (CVE-2026-25851, CVE-2026-20792, CVE-2026-25711, CVE-2026-20791) affect all versions of Chargemap’s charging platform.
- Exploitation could lead to unauthorized administrative control, DoS attacks, or session hijacking.
- No patches available: Chargemap has not responded to coordination requests from CISA.
- Global impact: Vulnerabilities affect energy and transportation sectors worldwide.
- Publicly accessible credentials exacerbate the risk of exploitation.
---
Technical Details
#### 1. Missing Authentication for Critical Functions (CVE-2026-25851)
- CVSS Score: 9.4 (Critical)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L`
- Description: Chargemap’s WebSocket endpoints lack proper authentication, allowing attackers to impersonate charging stations and manipulate backend data. Unauthenticated attackers can connect to the OCPP WebSocket endpoint using a known or discovered station identifier, enabling privilege escalation and unauthorized control of charging infrastructure.
#### 2. Improper Restriction of Excessive Authentication Attempts (CVE-2026-20792)
- CVSS Score: 7.5 (High)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
- Description: The absence of rate limiting on authentication requests allows attackers to launch brute-force attacks or DoS attacks, suppressing or misrouting legitimate charger telemetry.
#### 3. Insufficient Session Expiration (CVE-2026-25711)
- CVSS Score: 7.3 (High)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L`
- Description: Chargemap’s backend allows multiple endpoints to connect using the same session identifier, leading to predictable session IDs and enabling session hijacking. Attackers can displace legitimate stations and receive backend commands intended for them.
#### 4. Insufficiently Protected Credentials (CVE-2026-20791)
- CVSS Score: 6.5 (Medium)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`
- Description: Charging station authentication identifiers are publicly accessible via web-based mapping platforms, increasing the risk of unauthorized access.
---
Impact Assessment
The vulnerabilities pose severe risks to critical infrastructure, including:
- Unauthorized control of charging stations, enabling attackers to manipulate charging sessions or disrupt services.
- DoS attacks, leading to service outages and financial losses for operators.
- Data corruption, compromising the integrity of charging network reports.
- Wider energy sector risks, as compromised charging stations could serve as entry points for larger cyberattacks on energy grids.
The global deployment of Chargemap’s platform amplifies the potential impact, affecting energy and transportation systems worldwide.
---
Mitigation Steps
CISA recommends the following defensive measures to minimize exploitation risks:
1. Network Segmentation:
- Minimize network exposure for control system devices.
- Ensure charging stations are not accessible from the internet.
2. Firewall Protection:
- Locate control system networks and remote devices behind firewalls.
- Isolate them from business networks.
3. Secure Remote Access:
- Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
- Recognize that VPNs are only as secure as the connected devices.
4. Monitoring and Incident Response:
- Implement continuous monitoring for suspicious activity.
- Follow established internal procedures to report and mitigate malicious activity.
5. Vendor Coordination:
- Contact Chargemap via their [support page](https://chargemap.com/en-us/support) for updates on patches or mitigations.
For additional guidance, refer to CISA’s [ICS Cybersecurity Best Practices](https://www.cisa.gov/ics).
---
Conclusion
The discovery of these critical vulnerabilities in Chargemap EV charging stations underscores the growing cybersecurity risks facing critical infrastructure sectors. With no patches available and no response from the vendor, organizations must take proactive steps to secure their networks and mitigate potential attacks.
As the energy and transportation sectors continue to digitize, the need for robust cybersecurity measures has never been more urgent. Stay vigilant, implement defensive strategies, and monitor for updates from Chargemap to protect against exploitation.
---
References
[^1]: CISA. "[ICSA-26-057-05 Chargemap](https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05)". Retrieved 2024-10-02.
[^2]: NIST. "[CVE-2026-25851 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-25851)". Retrieved 2024-10-02.
[^3]: MITRE. "[CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)". Retrieved 2024-10-02.