CVE-2026-22552 Overview
CVE-2026-22552 is a critical authentication bypass vulnerability affecting WebSocket endpoints in EV charging station infrastructure. The vulnerability stems from the lack of proper authentication mechanisms on OCPP (Open Charge Point Protocol) WebSocket endpoints, enabling unauthenticated attackers to perform unauthorized station impersonation and manipulate data sent to backend systems.
An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as if they were a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Critical Impact
Unauthenticated remote attackers can impersonate legitimate charging stations, gain unauthorized control of charging infrastructure, manipulate backend data, and potentially escalate privileges across the charging network.
Affected Products
- ePower Charging Station Management Systems
- OCPP WebSocket Endpoints (unspecified versions)
- EV Charging Infrastructure Backend Systems
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-22552 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-22552
Vulnerability Analysis
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), which represents a fundamental security flaw where a critical system function lacks any authentication mechanism. In this case, the OCPP WebSocket endpoints—which serve as the communication channel between EV charging stations and backend management systems—do not verify the identity of connecting clients.
The vulnerability allows network-accessible attackers to establish WebSocket connections to the OCPP endpoint without providing any credentials. Once connected, the attacker can send and receive OCPP protocol messages, effectively masquerading as any charging station whose identifier they know or can discover through enumeration.
The attack surface is particularly concerning for several reasons: the network-accessible nature of the endpoints means attacks can originate from anywhere with network connectivity to the target system; no authentication requirement means attackers face no barrier to exploitation; and the ability to both send and receive commands provides full bidirectional control over the impersonated station's communication channel.
Root Cause
The root cause of CVE-2026-22552 is the complete absence of authentication mechanisms on the OCPP WebSocket endpoints. The system accepts connections and processes OCPP commands based solely on the charging station identifier provided during connection, without verifying that the connecting client is actually the legitimate charging station.
This represents a design flaw where the system implicitly trusts that any client presenting a valid station identifier is the authentic station, rather than implementing proper authentication protocols such as certificate-based authentication, token validation, or mutual TLS.
Attack Vector
The attack vector for CVE-2026-22552 is network-based, requiring no user interaction and no prior privileges. An attacker can exploit this vulnerability through the following attack flow:
Discovery Phase: The attacker identifies target OCPP WebSocket endpoints through network scanning or reconnaissance. Station identifiers may be discovered through enumeration, information disclosure, or prior knowledge.
Connection Establishment: The attacker initiates a WebSocket connection to the OCPP endpoint, providing a valid or target charging station identifier.
Station Impersonation: Without any authentication challenge, the connection is accepted and the attacker can now communicate with the backend as if they were the legitimate charging station.
Exploitation: The attacker can issue OCPP commands to manipulate charging sessions, report false telemetry data, receive configuration updates intended for the legitimate station, or corrupt backend data integrity.
This attack does not require any specialized tools beyond standard WebSocket clients and knowledge of the OCPP protocol.
Detection Methods for CVE-2026-22552
Indicators of Compromise
- Multiple simultaneous connections from different IP addresses claiming the same station identifier
- Connections from unexpected geographic locations or IP ranges for known station deployments
- Unusual OCPP command patterns or sequences that deviate from normal station behavior
- Rapid connection/disconnection cycles on station identifiers
- Station telemetry data inconsistencies or conflicting reports from the same identifier
Detection Strategies
- Implement network monitoring to detect WebSocket connections from unauthorized IP addresses to OCPP endpoints
- Deploy anomaly detection to identify unusual connection patterns or command sequences on charging station identifiers
- Enable comprehensive logging of all WebSocket connections including source IP, connection timestamps, and station identifiers claimed
- Cross-reference connected station identifiers against known station inventory and expected network locations
Monitoring Recommendations
- Configure alerts for any station identifier connected from multiple concurrent sessions
- Monitor for OCPP commands issued outside of normal operational patterns for each station
- Establish baseline network behavior for legitimate charging stations and alert on deviations
- Review connection logs regularly for connections from unexpected network segments or external addresses
How to Mitigate CVE-2026-22552
Immediate Actions Required
- Restrict network access to OCPP WebSocket endpoints using firewall rules and network segmentation
- Implement IP allowlisting to permit connections only from known charging station network addresses
- Deploy a VPN or private network connection between charging stations and backend systems
- Enable enhanced logging on all OCPP WebSocket connections pending implementation of proper authentication
- Review connection logs for evidence of unauthorized station impersonation
Patch Information
Consult the ePower Support Page for vendor-provided patches and security updates. Additional technical details and advisories are available in the CISA ICS Advisory ICSA-26-062-07 and the GitHub CSAF Document.
Organizations should prioritize implementing vendor-recommended security controls and applying any available firmware or software updates that address the authentication weakness.
Workarounds
- Implement network-level access controls to restrict OCPP endpoint connectivity to trusted networks only
- Deploy mutual TLS (mTLS) at the network layer to authenticate station connections until application-level authentication is available
- Use a reverse proxy or API gateway with authentication capabilities in front of the OCPP WebSocket endpoints
- Segment charging station networks from general enterprise or public networks
- Monitor and alert on any connections that do not originate from expected station IP addresses
# Example firewall rule to restrict OCPP WebSocket access (adjust ports and IPs as needed)
# Allow only known charging station IP ranges to connect to OCPP port
iptables -A INPUT -p tcp --dport 9000 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -j DROP
# Enable connection logging for audit purposes
iptables -A INPUT -p tcp --dport 9000 -j LOG --log-prefix "OCPP_CONNECTION: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
