IGL-Technologies Patches Critical Authentication Bypass in eParking.fi Platform
Take action: Isolate your EV charging infrastructure as much as possible from the public internet and public network access. Verify that your hardware supports the vendor's new security profiles. Since station identifiers were leaked on public maps, you should treat existing IDs as compromised and implement device whitelisting.
Learn More
IGL-Technologies, a Finnish provider of electric vehicle (EV) infrastructure, reports four security vulnerabilities in its eParking.fi platform.
Vulnerabilities summary:
- CVE-2026-29796 (CVSS score 9.4) - A missing authentication vulnerability in the OCPP WebSocket endpoints. Attackers can connect to the backend using a known charging station identifier to impersonate a legitimate charger. This allows them to send or receive commands, escalate privileges, and corrupt charging data without any credentials.
- CVE-2026-31903 (CVSS score 7.5) - An improper restriction of excessive authentication attempts in the WebSocket API. The lack of rate limiting lets attackers flood the system with requests to suppress legitimate telemetry or run brute-force attacks. This can lead to a denial-of-service (DoS) state for the charging network.
- CVE-2026-32663 (CVSS score 7.3) - An insufficient session expiration flaw that allows multiple endpoints to use the same session identifier. Because identifiers are predictable, attackers can perform session hijacking or "shadowing" to displace a real charging station. The attacker then receives all backend commands intended for the original device.
- CVE-2026-31926 (CVSS score 6.5) - An insufficiently protected credentials vulnerability where charging station identifiers are publicly visible. These identifiers are exposed through web-based mapping platforms, providing the necessary data for attackers to exploit the authentication bypasses mentioned above.
By exploiting the lack of authentication and predictable session IDs, attackers can manipulate charging parameters or disrupt service availability.
The vulnerabilities affect all versions of the IGL-Technologies eParking.fi platform. IGL-Technologies updated its OCPP servers to enforce modern security profiles and stronger authentication. They also implemented device-level whitelisting to ensure only authorized units can connect and added rate-limiting controls to reduce the risk of denial-of-service attacks. Systems using encrypted OCPP deployments or the proprietary eTolppa protocol are not affected by these issues.
Remediation is primarily handled through the vendor's server-side updates, but administrators should verify their hardware is compatible with the new security requirements.
