Multiple Vulnerabilities Reported in EVMAPA Electric Vehicle Charging Systems
Take action: Make sure all EVAMPA managed systems are isolated from the internet and accessible from trusted networks only. Two of the three laws don't have a patch yet, so your priority control is isolation. Then reach to the vendor for more details on upcoming patches.
Learn More
CISA is reporting three security vulnerabilities in EVMAPA, a provider of electric vehicle charging management software, that affect its systems in Czechia and Slovakia. These flaws allow attackers to take control of charging stations, steal sensitive data, or shut down services entirely.
Vulnerabilities summary:
- CVE-2025-54816 (CVSS score 9.4) - Missing authentication for critical functions in WebSocket endpoints allows unauthorized remote command execution and data theft. Attackers can establish connections without providing credentials, which leads to privilege escalation and full system compromise.
- CVE-2025-53968 (CVSS score 7.5) - Improper restriction of authentication attempts enables brute-force attacks and denial-of-service conditions.
- CVE-2025-55705 (CVSS score 7.3) - Insufficient session expiration permits multiple simultaneous connections with the same ID, leading to session manipulation.
EVMAPA has already resolved the session management issue (CVE-2025-55705) to prevent duplicate connections. For the critical WebSocket flaw, the vendor recommends that operators connect stations through a VPN or use WebSocket Secure (WSS) protocols. The company plans to implement BASIC authorization for newer stations using the Open Charge Point Protocol (OCPP) 2.x standard.
