CVE-2026-22539 Overview
CVE-2026-22539 is an information disclosure vulnerability affecting electric vehicle (EV) charging infrastructure utilizing the Open Charge Point Protocol (OCPP) v1.6. The vulnerability stems from unauthenticated service interactions that allow attackers with adjacent network access and knowledge of the protocol to extract sensitive information about the charger without proper authorization.
Critical Impact
Attackers on adjacent networks can obtain sensitive charger information without authentication, potentially exposing operational data, configuration details, and infrastructure information that could facilitate further attacks on EV charging networks.
Affected Products
- EV charging stations implementing OCPP v1.6 protocol
- Charging infrastructure management systems using unauthenticated OCPP communications
- Backend systems connected to vulnerable OCPP v1.6 endpoints
Discovery Timeline
- 2026-01-07 - CVE CVE-2026-22539 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-22539
Vulnerability Analysis
This vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data), indicating that the OCPP v1.6 implementation exposes sensitive charger information through its communication protocol without requiring authentication. The adjacent network attack vector means an attacker must have network proximity to the target charging infrastructure, such as being on the same local network segment or within wireless range of the charging station's network interface.
The lack of authentication in the service interaction represents a fundamental security design flaw. OCPP v1.6, while widely deployed in EV charging infrastructure, was designed with optional security features that many implementations fail to properly configure. This allows malicious actors to query chargers directly and obtain information about their configuration, status, and potentially connected backend systems.
Root Cause
The root cause of this vulnerability lies in the implementation of OCPP v1.6 service interactions without enforcing authentication mechanisms. The protocol specification allows for security profiles, but the affected implementation performs service interactions in an unauthenticated manner. This design decision creates an exposure where any entity with network access and protocol knowledge can interact with the charger as if they were an authorized central system.
Attack Vector
The attack requires adjacent network access, meaning the attacker must be positioned on a network segment that can communicate with the vulnerable charging equipment. This could include:
- Physical proximity to charging station networks
- Compromised systems on the same network infrastructure
- Access through misconfigured network segmentation
Once network access is achieved, an attacker with knowledge of the OCPP v1.6 protocol structure can craft requests to the charging station. The lack of authentication means these requests are processed without validation of the requester's identity, returning information about the charger including operational status, configuration parameters, and potentially sensitive identifiers.
The vulnerability exploits the trust model inherent in unauthenticated OCPP implementations where the charging station assumes all incoming communications from the network are legitimate. An attacker can send standard OCPP messages such as GetConfiguration, GetDiagnostics, or status requests to enumerate charger details. For technical details on the OCPP protocol and security considerations, refer to the Thales Group Security Solutions advisory.
Detection Methods for CVE-2026-22539
Indicators of Compromise
- Unusual OCPP message traffic originating from unauthorized IP addresses or network segments
- Unexpected GetConfiguration or similar information-gathering requests from unknown sources
- Network connections to OCPP endpoints (typically WebSocket on ports 80/443 or custom ports) from non-central system addresses
- Anomalous patterns of charger status queries that deviate from normal operational polling
Detection Strategies
- Implement network monitoring for OCPP traffic and establish baselines for normal communication patterns
- Deploy intrusion detection rules to identify OCPP protocol messages from unauthorized sources
- Monitor for connection attempts to charging infrastructure from unexpected network segments
- Analyze logs from charging management systems for authentication failures or anonymous access attempts
Monitoring Recommendations
- Enable detailed logging on OCPP-enabled charging equipment and backend systems
- Implement network segmentation monitoring to detect lateral movement toward charging infrastructure
- Deploy SentinelOne agents on systems managing charging infrastructure to detect reconnaissance activities
- Establish alerting for any OCPP communications that bypass expected authentication workflows
How to Mitigate CVE-2026-22539
Immediate Actions Required
- Audit network architecture to ensure charging infrastructure is properly segmented from general network access
- Enable authentication mechanisms in OCPP implementations where supported (Security Profile 1, 2, or 3)
- Review access control lists to restrict which systems can communicate with charging stations
- Implement TLS encryption for all OCPP communications to prevent eavesdropping
Patch Information
Organizations should consult their charging station vendor and the Thales Group Security Solutions advisory for specific firmware updates or configuration guidance that addresses this authentication gap. Upgrading to OCPP implementations that enforce mandatory authentication or migrating to OCPP 2.0.1, which has enhanced security features, should be evaluated as a long-term remediation strategy.
Workarounds
- Implement network-level access controls using firewalls to restrict OCPP traffic to authorized central systems only
- Deploy VPN or private network connectivity between charging stations and backend management systems
- Enable OCPP Security Profiles where available in current firmware to add authentication layers
- Consider deploying network access control (NAC) solutions to authenticate devices before granting network access to charging infrastructure segments
Network segmentation provides an effective workaround by limiting adjacent network access. Configure firewall rules to ensure only the authorized central management system IP addresses can communicate with charging station OCPP endpoints:
# Example iptables rules to restrict OCPP access
# Allow only authorized central system to communicate with charger OCPP port
iptables -A INPUT -p tcp --dport 8080 -s 10.0.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
# Log dropped OCPP connection attempts for monitoring
iptables -A INPUT -p tcp --dport 8080 -j LOG --log-prefix "OCPP-BLOCKED: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
