CVE-2026-22539 Overview
CVE-2026-22539 is an information disclosure vulnerability affecting electric vehicle chargers that implement the Open Charge Point Protocol (OCPP) version 1.6. The service interaction occurs without authentication, allowing an attacker on an adjacent network to query the charger and retrieve sensitive information about the device. Exploitation requires only basic familiarity with the OCPP v1.6 protocol. The weakness is categorized under [CWE-201]: Insertion of Sensitive Information Into Sent Data. Thales Group published the advisory describing this exposure.
Critical Impact
Unauthenticated attackers with adjacent network access can extract charger information through OCPP v1.6 service interactions, exposing operational and configuration data useful for follow-on attacks.
Affected Products
- Electric vehicle charging equipment implementing OCPP v1.6
- Charge points exposing OCPP services without authentication
- Charging station management interfaces reachable on adjacent networks
Discovery Timeline
- 2026-01-07 - CVE-2026-22539 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-22539
Vulnerability Analysis
The vulnerability stems from the absence of authentication on the OCPP v1.6 service interface exposed by the charger. OCPP is the communication standard between electric vehicle charging stations and central management systems. When the charger accepts OCPP requests without verifying the identity of the caller, any device on the same network segment can issue protocol messages.
An attacker familiar with the OCPP v1.6 message structure can craft requests to retrieve charger metadata, configuration values, and operational status. This information disclosure does not modify charger state, but it does leak details an adversary can use to map the environment.
The issue is classified under [CWE-201], which describes the insertion of sensitive information into data transmitted by a product. The attack vector is adjacent network, meaning the attacker must reach the same logical network as the charger.
Root Cause
The root cause is a missing authentication control on OCPP v1.6 service endpoints. OCPP v1.6 does not mandate transport-layer authentication, and the affected implementations rely on network placement rather than cryptographic identity to gate access. Any client speaking the protocol is treated as authorized.
Attack Vector
An attacker positioned on an adjacent network connects to the OCPP v1.6 service exposed by the charger. The attacker issues protocol-defined queries that return device information such as firmware version, configuration parameters, vendor identifiers, or charging session metadata. No credentials, user interaction, or prior compromise is required. Refer to the Thales Group Security Resources for protocol-specific exploitation guidance.
Detection Methods for CVE-2026-22539
Indicators of Compromise
- Unexpected OCPP v1.6 requests originating from hosts other than the authorized Charging Station Management System (CSMS)
- Repeated BootNotification, GetConfiguration, or DataTransfer queries from the same source within short intervals
- OCPP traffic on network segments where only operational chargers and the CSMS should communicate
Detection Strategies
- Inspect network traffic on OCPP ports (commonly 80, 443, or 8080 for WebSocket transport) for sessions not originating from the authorized backend
- Correlate charger-side logs of OCPP message handlers with the source IP list of approved management systems
- Alert on enumeration patterns where a single client issues sequential read-only OCPP commands
Monitoring Recommendations
- Capture full OCPP WebSocket session metadata, including client IP, TLS state, and message types, into a centralized log store
- Baseline normal CSMS-to-charger communication volumes and flag deviations
- Monitor wireless and operational technology segments that bridge into charging infrastructure for unauthorized devices
How to Mitigate CVE-2026-22539
Immediate Actions Required
- Restrict network access to charger OCPP interfaces so only the authorized CSMS can connect
- Place chargers on segmented VLANs isolated from corporate, guest, and IoT networks
- Upgrade affected chargers to firmware that supports OCPP 2.0.1 or enforces OCPP 1.6 Security Profile 2 or 3
Patch Information
No vendor patch identifier is listed in the NVD record at publication. Consult the Thales Group Security Resources for vendor-specific firmware updates and configuration guidance addressing CVE-2026-22539.
Workarounds
- Enforce TLS with mutual certificate authentication between the charger and CSMS where the firmware supports it
- Apply firewall rules that permit OCPP traffic only from the CSMS source address
- Disable any unauthenticated diagnostic or management services exposed by the charger
- Conduct periodic network scans to confirm no rogue endpoints can reach OCPP services
# Example: restrict OCPP WebSocket access to the authorized CSMS only
iptables -A INPUT -p tcp --dport 8080 -s <CSMS_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
