WebSocket App unauthenticated hijack (CVE-2026-25851)

Patch now - CVE-2026-25851 is a critical authentication bypass in OCPP WebSocket endpoints that lets an attacker impersonate any charging station without credentials, gaining control over charging sessions, pricing, and network commands. Immediate patching is required to prevent service disruption and unauthorized access.

Overview

A critical security flaw has been identified in the implementation of WebSocket endpoints used for OCPP (Open Charge Point Protocol) communications. This vulnerability allows an attacker to impersonate any charging station on the network without requiring a password or any form of authentication.

Vulnerability Explained

In simple terms, the system designed to communicate with electric vehicle chargers is missing a critical verification step. It’s like a building security system that lets anyone claim to be an employee if they simply shout a known name at the door, without ever checking an ID badge.

An attacker can connect to the charging network’s communication port using a charging station’s identifier (which can often be discovered or guessed). Once connected, the system fully trusts this connection, allowing the attacker to send false data to the central management system or even send malicious commands directly to impersonate a real charger.

Potential Impact

The consequences of this vulnerability are severe for charging network operators and their customers:

• Unauthorized Control: Attackers could remotely start or stop charging sessions, manipulate pricing, or disable charging stations.
• Data Corruption: False usage data, error reports, or meter values can be sent to the backend, disrupting billing, reporting, and grid management.
• Privilege Escalation: By impersonating a station, an attacker gains the system’s trust, potentially using this position to attack other, more sensitive parts of the network.
• Service Disruption: Widespread malicious commands could lead to a loss of service across the charging network.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Remediation: Apply vendor-provided patches or updates that implement proper authentication for all WebSocket connections. This typically involves enforcing certificate-based authentication (using TLS client certificates) or robust shared secret mechanisms as mandated by the OCPP standard.

Immediate Mitigations (If a Patch is Not Yet Available):

1. Network Segmentation: Isolate the charging station network (the “OT network”) from corporate and public internet networks using firewalls. Only allow necessary communication paths to the specific backend servers.
2. Access Control Lists (ACLs): Implement firewall rules or WebSocket gateway rules to restrict incoming WebSocket connections to known, legitimate source IP addresses, where feasible. This is not a complete fix but can reduce the attack surface.
3. Monitoring and Logging: Increase logging for all WebSocket connection attempts and OCPP message traffic. Alert on any connection attempts from unexpected IP addresses or the use of duplicate station identifiers from multiple locations.

Operators should contact their charging management software or hardware vendor to confirm their system’s status and obtain the necessary security updates.