WebSocket endpoint lacks auth (CVE-2026-27772)

Patch now - CVE-2026-27772 is a critical authentication bypass in OCPP WebSocket endpoints that grants attackers unauthenticated impersonation of legitimate charging stations, enabling remote session control, data manipulation, and potential backend escalation. Immediate cryptographic credential validation is required to secure all connections.

Overview

A critical security flaw has been identified in the implementation of WebSocket endpoints used for OCPP (Open Charge Point Protocol) communications. This vulnerability allows attackers to impersonate legitimate electric vehicle charging stations without any authentication, leading to unauthorized control and data manipulation.

Vulnerability Explained

In simple terms, the system designed to communicate with charging stations is missing a crucial verification step. It’s like a secure building where the back door has no lock or guard. An attacker can connect to the communication channel (the WebSocket endpoint) by simply using a known or guessed charging station ID. Once connected, the system treats the attacker as a real charging station. This allows the attacker to both send fake commands to the backend system and receive sensitive data meant for the actual charger.

Potential Impact

The impact of this vulnerability is severe, as it provides direct access to critical infrastructure control systems.

• Unauthorized Control: Attackers could remotely start or stop charging sessions, potentially disrupting service or damaging vehicles and infrastructure.
• Data Corruption & Fraud: Attackers can manipulate meter values and transaction data, leading to incorrect billing and corrupting the network’s operational data.
• Privilege Escalation: By impersonating a station, an attacker gains a trusted position within the network, which can be used as a foothold for further attacks on the central management system.
• System-Wide Disruption: Widespread impersonation could be used to create a denial-of-service condition, overwhelming the backend and halting network operations.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Remediation (Permanent Fix): Implement strong authentication for all WebSocket connections before any OCPP messages are processed. This must include:

1. Authentication Handshake: Require a secure, unique credential (like a token or certificate) from the charging station during the initial connection, not just a station ID.
2. Validation: The backend must cryptographically validate this credential before accepting any commands or data.

Immediate Mitigations (Temporary Measures): If a permanent fix cannot be applied immediately, consider these steps to reduce risk:

• Network Segmentation: Restrict access to the OCPP WebSocket endpoint using firewalls. Allow connections only from known, trusted IP ranges (e.g., those of your legitimate charging stations).
• Intrusion Detection: Implement network monitoring to detect connection attempts from unexpected IP addresses or anomalous patterns of commands.
• Station ID Obfuscation: Avoid using easily guessable or sequential charging station identifiers.

System administrators should contact their OCPP backend software or charging station management system vendor to obtain a patched version that implements proper WebSocket authentication.