WebSocket endpoints unauthenticated access

Patch now - CVE-2026-24731 is a critical authentication bypass in OCPP WebSocket endpoints that grants unauthenticated attackers the ability to impersonate any charging station. This allows control of charging sessions and manipulation of data, requiring immediate patching.

Overview

A critical security flaw has been identified in the implementation of WebSocket endpoints used for OCPP (Open Charge Point Protocol) communications. This vulnerability allows attackers to impersonate legitimate electric vehicle charging stations without requiring any password or authentication token.

Vulnerability Explained

In simple terms, the system designed to communicate with charging stations is missing a critical verification step. The WebSocket connection-a persistent communication channel-does not check who or what is connecting. An attacker can connect to this channel using a charging station’s identifier, which can often be discovered or guessed. Once connected, the attacker is treated as a genuine charging station by the backend management system.

Potential Impact

The impact of this vulnerability is severe and wide-ranging:

• Unauthorized Control: Attackers can send commands to start, stop, or disrupt charging sessions, leading to service denial and potential damage to vehicles or infrastructure.
• Data Manipulation and Fraud: Attackers can corrupt meter data, report false charging states, and manipulate billing information, leading to financial loss and operational chaos.
• Privilege Escalation: By impersonating a station, an attacker gains a trusted position within the network, which can be used as a foothold for further attacks on the central management system.
• Loss of Trust and Safety Risks: Widespread manipulation can cripple network operations and pose safety risks if charging hardware is forced into unsafe states.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Remediation (Patching): Apply the official security patch provided by your OCPP backend software or charging station management system vendor as soon as it is available. This patch must enforce strong authentication on all WebSocket connections.

Immediate Mitigations: If a patch is not immediately available, implement the following controls:

1. Network Access Control: Restrict access to the OCPP WebSocket endpoint (typically on ports 80/443 or 9000) using firewall rules. Only allow connections from known, legitimate charging station IP addresses or secure VPN tunnels.
2. Implement Authentication: If the software allows, immediately enable and enforce certificate-based or token-based authentication for all WebSocket connections. Do not rely on the station ID alone.
3. Monitor Logs: Closely monitor connection logs for the OCPP backend. Investigate any new connection attempts from unfamiliar IP addresses or any station ID connecting from multiple IPs simultaneously.

General Recommendation: Contact your charging infrastructure or software vendor directly to confirm if your specific system is affected and to obtain a patching timeline. Do not assume your deployment is secure without verification.