ByteOS Network

NVD Vulnerability Details :

CVE-2026-25851

Awaiting Analysis

Source-ics-cert@hq.dhs.gov

Published At-27 Feb, 2026 | 00:16

Updated At-27 Feb, 2026 | 14:06

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	9.4	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Type: Secondary

Version: 3.1

Base score: 9.4

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Weaknesses

CWE ID	Type	Source
CWE-306	Primary	ics-cert@hq.dhs.gov

CWE ID: CWE-306

Type: Primary

Source: ics-cert@hq.dhs.gov

References

Hyperlink	Source	Resource
https://chargemap.com/en-us/support	ics-cert@hq.dhs.gov	N/A
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json	ics-cert@hq.dhs.gov	N/A
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05	ics-cert@hq.dhs.gov	N/A