---
title: "Critical Vulnerabilities in EVMAPA Charging Stations Expose EV Infrastructure to Attacks"
short_title: "EVMAPA charging stations critical flaws exposed"
description: "Three critical vulnerabilities in EVMAPA EV charging stations could lead to denial-of-service, unauthorized access, and remote command execution. Learn mitigation steps now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [ev-charging, cve-2025, cybersecurity, denial-of-service, remote-execution]
score: 0.85
cve_ids: [CVE-2025-54816, CVE-2025-53968, CVE-2025-55705]
---
TL;DR
Three critical vulnerabilities in EVMAPA EV charging stations—CVE-2025-54816, CVE-2025-53968, and CVE-2025-55705—could allow attackers to execute remote commands, trigger denial-of-service (DoS) conditions, or manipulate charging station statuses. These flaws affect charging infrastructure in Czechia and Slovakia, posing risks to transportation systems. Immediate mitigation steps are recommended.
---
Main Content
Introduction
Electric vehicle (EV) charging infrastructure is rapidly expanding, but its cybersecurity remains a critical concern. EVMAPA, a leading provider of EV charging solutions in Czechia and Slovakia, has disclosed three severe vulnerabilities in its charging stations. If exploited, these flaws could lead to degraded service, denial-of-service (DoS) attacks, or unauthorized remote command execution, potentially disrupting transportation systems and compromising user safety.
---
Key Points
- Three critical vulnerabilities affect EVMAPA EV charging stations, with CVSS scores ranging from 7.3 to 9.4.
- CVE-2025-54816 (CVSS 9.4) allows unauthorized access via a missing authentication mechanism in WebSocket endpoints.
- CVE-2025-53968 (CVSS 7.5) enables brute-force attacks due to unrestricted authentication attempts.
- CVE-2025-55705 (CVSS 7.3) permits multiple simultaneous connections using the same charging station ID, leading to session hijacking.
- Affected regions include Czechia and Slovakia, with potential implications for transportation systems.
- No known public exploitation has been reported yet, but proactive mitigation is critical.
---
Technical Details
#### 1. CVE-2025-54816: Missing Authentication for Critical Function
- CVSS Score: 9.4 (Critical)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L`
- Description: A WebSocket endpoint in EVMAPA charging stations lacks proper authentication, allowing unauthorized users to establish connections. Attackers can exploit this to gain access to sensitive data or perform unauthorized actions, potentially compromising the entire system.
- Relevant CWE: [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)
- Vendor Response: EVMAPA plans to implement BASIC authorization control for OCPP 2.x and newer stations. Some charging stations already use WebSocket Secure (WSS) or VPN connections to mitigate risks.
---
#### 2. CVE-2025-53968: Improper Restriction of Excessive Authentication Attempts
- CVSS Score: 7.5 (High)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
- Description: The system does not limit authentication attempts, enabling attackers to launch brute-force attacks or trigger denial-of-service (DoS) conditions. This can overwhelm the authentication system, rendering it unavailable to legitimate users.
- Relevant CWE: [CWE-307: Improper Restriction of Excessive Authentication Attempts](https://cwe.mitre.org/data/definitions/307.html)
- Vendor Response: EVMAPA has not released a statement regarding this vulnerability. Users are advised to contact the vendor directly for updates.
---
#### 3. CVE-2025-55705: Insufficient Session Expiration
- CVSS Score: 7.3 (High)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L`
- Description: The system allows multiple simultaneous connections using the same charging station ID. This flaw can lead to unauthorized access, data inconsistency, or manipulation of charging sessions.
- Relevant CWE: [CWE-613: Insufficient Session Expiration](https://cwe.mitre.org/data/definitions/613.html)
- Vendor Response: EVMAPA has resolved this issue by preventing simultaneous connections with the same Charge Box ID (CBID).
---
Impact Assessment
The vulnerabilities in EVMAPA charging stations pose significant risks to EV infrastructure, including:
- Denial-of-Service (DoS): Attackers could disrupt charging services, causing inconvenience and financial losses.
- Unauthorized Access: Exploitation of CVE-2025-54816 could allow attackers to spoof charging station statuses or execute remote commands.
- Data Manipulation: CVE-2025-55705 could enable attackers to alter charging session data, leading to billing discrepancies or safety hazards.
- Brute-Force Attacks: CVE-2025-53968 could be exploited to gain unauthorized access to charging station controls.
---
Mitigation Steps
CISA recommends the following defensive measures to minimize the risk of exploitation:
1. Network Segmentation:
- Minimize network exposure for all control system devices.
- Ensure charging stations are not accessible from the Internet.
2. Firewall Protection:
- Locate control system networks and remote devices behind firewalls.
- Isolate them from business networks.
3. Secure Remote Access:
- Use Virtual Private Networks (VPNs) for remote access.
- Ensure VPNs are updated to the latest version and configured securely.
4. Vendor-Specific Fixes:
- For CVE-2025-54816, ensure charging stations use WebSocket Secure (WSS) or VPN connections.
- For CVE-2025-55705, verify that EVMAPA has implemented fixes to prevent simultaneous connections with the same CBID.
5. Monitoring and Reporting:
- Monitor for suspicious activity and report incidents to CISA for correlation and tracking.
For more details, refer to CISA’s [recommended practices for control systems security](https://www.cisa.gov/ics).
---
Conclusion
The discovery of these vulnerabilities in EVMAPA EV charging stations highlights the growing cybersecurity risks in critical infrastructure, particularly in the transportation sector. While no public exploitation has been reported, organizations must act proactively to patch vulnerabilities, segment networks, and implement secure remote access protocols. As EV adoption continues to rise, ensuring the security of charging infrastructure will be paramount to preventing disruptions and safeguarding user trust.
---
References
[^1]: CISA. "[ICSA-26-022-08 EVMAPA](https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08)". Retrieved 2025-01-24.
[^2]: NIST. "[CVE-2025-54816 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-54816)". Retrieved 2025-01-24.
[^3]: NIST. "[CVE-2025-53968 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-53968)". Retrieved 2025-01-24.
[^4]: NIST. "[CVE-2025-55705 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-55705)". Retrieved 2025-01-24.
[^5]: MITRE. "[CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)". Retrieved 2025-01-24.
[^6]: MITRE. "[CWE-307: Improper Restriction of Excessive Authentication Attempts](https://cwe.mitre.org/data/definitions/307.html)". Retrieved 2025-01-24.
[^7]: MITRE. "[CWE-613: Insufficient Session Expiration](https://cwe.mitre.org/data/definitions/613.html)". Retrieved 2025-01-24.