What is the most severe vulnerability in the Chargemap platform?

The most severe is CVE-2026-25851 (CVSS score 9.4), which allows unauthenticated attackers to impersonate charging stations by connecting to WebSocket endpoints without proper authentication.

How can attackers find charging station identifiers?

According to CVE-2026-20791, charging station authentication identifiers are publicly accessible through web-based mapping platforms.

What is session shadowing in the context of these flaws?

Session shadowing (CVE-2026-25711) occurs when the backend allows multiple connections to use the same session ID, letting an attacker displace a legitimate station and receive its commands.

Has Chargemap released a patch for these issues?

No, the vendor did not respond to CISA's coordination requests, and no official patches have been released as of the advisory date.

What are the recommended mitigations?

CISA recommends isolating charging station networks from the internet, using firewalls, and requiring secure VPNs for any necessary remote access.

Advisory

Multiple Vulnerabilities Discovered in Chargemap Platform

published: Feb. 26, 2026

Take action: Make sure your Chargemap station management is isolated from the internet and behind a firewall or VPN. Since the vendor has not released a patch that's your only defense until the vendor does something or you replace these systems.

Learn More

CISA reports multiple flaws, some critical in Chargemap, a French electric vehicle charging service provider.

Vulnerabilities summary:

CVE-2026-25851 (CVSS score 9.4) - A missing authentication vulnerability in WebSocket endpoints that allows unauthenticated attackers to impersonate charging stations. By connecting to the Open Charge Point Protocol (OCPP) WebSocket using a discovered identifier, an attacker can issue or receive commands as a legitimate charger, leading to full infrastructure takeover.
CVE-2026-20792 (CVSS score 7.5) - A rate-limiting flaw in the WebSocket API that fails to restrict the number of authentication requests. Attackers can exploit this to run brute-force attacks or trigger denial-of-service conditions by suppressing legitimate charger telemetry.
CVE-2026-25711 (CVSS score 7.3) - A session management vulnerability where the backend allows multiple endpoints to connect using the same predictable session identifier. This enables session hijacking or "shadowing," where a malicious connection displaces a legitimate station to intercept backend commands.
CVE-2026-20791 (CVSS score 6.5) - An information disclosure issue where charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Attackers can manipulate data sent to the backend, potentially leading to fraudulent transactions or incorrect status reporting. The ability to displace legitimate connections allows attackers to intercept sensitive operational commands intended for specific charging stations.

The flaws affect the entire chargemap.com service across all versions. Because Chargemap has not responded to coordination requests from CISA, there are currently no official vendor patches available to address these flaws.

Organizations using Chargemap should immediately isolate the systems from the internet and minimize network exposure. CISA recommends isolating control system networks from business networks and ensuring charging stations are not directly accessible from the internet. If remote access is required, administrators should use secure VPNs.

Multiple Vulnerabilities Discovered in Chargemap Platform

Read More
Siemens Issues Patches for 41 flaws, three of …
Honeywell releases patch for critical vulneabilities of Experion …
KiloView Encoder Account Takeover Vulnerability
wolfSSL Patches Critical Certificate Forgery Vulnerability Affecting Billions …
Hitachi Energy Patches Critical Blast-RADIUS Vulnerability in XMC20 …