CVE-2026-20781: WebSocket

Overview

A critical security flaw has been identified in the implementation of WebSocket endpoints used for OCPP (Open Charge Point Protocol) communications. This vulnerability allows an attacker to impersonate any charging station on the network without providing any credentials, leading to unauthorized access and control.

Vulnerability Explained

In simple terms, the system designed to communicate with electric vehicle chargers is missing a critical verification step. It uses WebSocket connections-a persistent communication channel-but does not properly check who is connecting.

An attacker can connect to this communication port using a charging station’s identifier, which may be easy to guess or discover. Once connected, the system treats the attacker as a legitimate, trusted charger. This allows the attacker to send false data to the central management system or issue malicious commands directly to the backend as if they were a real station.

Potential Impact

The consequences of this vulnerability are severe, warranting its CRITICAL severity rating (CVSS: 9.4).

• Unauthorized Control: Attackers could remotely start or stop charging sessions, manipulate pricing, or disable charging stations.
• Data Corruption: False operational data, usage statistics, and error reports could be sent to the backend, disrupting billing, maintenance, and grid management.
• Privilege Escalation: By impersonating a station, an attacker gains a trusted position within the network, which could be used as a foothold for further attacks on the central management system.
• Infrastructure Disruption: Widespread manipulation could lead to service outages, financial loss, and damage to the reliability of the charging network.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Remediation: The definitive solution is to implement robust authentication for all WebSocket connections to the OCPP backend. This should involve:

• Requiring a unique, cryptographically strong secret (like a token or certificate) from each charging station during the connection handshake.
• Ensuring the backend validates this credential before accepting any commands or data.

Immediate Mitigations: If a permanent fix cannot be applied immediately, consider these steps to reduce risk:

1. Network Segmentation: Isolate the OCPP backend and charging station network segments from other corporate networks and the public internet. Restrict access using firewalls to only allow connections from known, legitimate station IP addresses where possible.
2. Intrusion Detection: Implement network monitoring to detect anomalous connection patterns or commands originating from unexpected sources.
3. Identifier Obfuscation: Avoid using easily guessable or sequential charging station identifiers. However, this is a weak mitigation and should not be relied upon alone.

System administrators should contact their OCPP backend software or charging station management system vendor for a patched version that includes proper WebSocket authentication.