The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
IGL-Technologies has updated eParking's OCPP servers to reduce the risks posed by the vulnerability. These updates implemented the following security controls: 1-Enforce modern security profiles and stronger authentication. 2-Device level whitelisting was implemented to ensure authorized devices connect. 3-Rate limiting controls prevent excessive requests and reduces denial-of-service attacks. 4-Enhanced automated monitoring and alerting to detection abnormal network activity.
Devices using the encrypted deployment of eParking's OCPP servers or
IGL-Technologies proprietary eTolppa protocol are not impacted by these
vulnerabilities.
To prevent this in the future IGL-Technologies will continue
vulnerability monitoring under their ISO 27001:2022 security program and
tighten security requirements for future third‑party OCPP hardware
approvals.
For more information please contact the IGL-Technologies security team at this email address: security@igl.fi.
mailto:security@igl.fi
Configurations
Workarounds
Exploits
Credits
finder
Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.