# Multiple Vulnerabilities Plague CTEK Chargeportal, Exposing Charging Infrastructure to Attack **CTEK**, a Swedish company specializing in charging solutions, faces scrutiny as multiple vulnerabilities have been discovered in its Chargeportal software. These flaws could allow malicious actors to gain unauthorized administrative control over charging stations or disrupt services via denial-of-service attacks. [View CSAF](https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json) ## Impact Summary Successful exploitation of these vulnerabilities could lead to: * Unauthorized administrative control over vulnerable charging stations. * Disruption of charging services through denial-of-service attacks. The affected product is: * Chargeportal vers:all/* ## Vulnerability Details The vulnerabilities, reported to **CISA** by Khaled Sarieddine and Mohammad Ali Sayed, are detailed below: ### CVE-2026-25192: Missing Authentication for Critical Function WebSocket endpoints lack proper authentication, enabling attackers to impersonate charging stations and manipulate data. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. This can lead to privilege escalation, unauthorized control, and data corruption. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-25192) **Affected Product:** * **Vendor:** CTEK * **Product:** CTEK Chargeportal: vers:all/* * **Status:** Known Affected **Relevant CWE:** [CWE-306 Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html) ### CVE-2026-31904: Improper Restriction of Excessive Authentication Attempts The WebSocket API lacks rate limiting on authentication requests. This absence may allow attackers to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-31904) **Affected Product:** * **Vendor:** CTEK * **Product:** CTEK Chargeportal: vers:all/* * **Status:** Known Affected **Relevant CWE:** [CWE-307 Improper Restriction of Excessive Authentication Attempts](https://cwe.mitre.org/data/definitions/307.html) ### CVE-2026-27649: Insufficient Session Expiration The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing. This may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-27649) **Affected Product:** * **Vendor:** CTEK * **Product:** CTEK Chargeportal: vers:all/* * **Status:** Known Affected **Relevant CWE:** [CWE-613 Insufficient Session Expiration](https://cwe.mitre.org/data/definitions/613.html) ## Recommended Mitigations **CISA** recommends the following defensive measures: * Minimize network exposure for all control system devices and systems. * Locate control system networks behind firewalls and isolate them from business networks. * Use secure remote access methods like VPNs, ensuring they are updated to the latest version. * Perform proper impact analysis and risk assessment prior to deploying defensive measures. **CISA** also provides control systems security recommended practices on the ICS webpage at cisa.gov/ics. Organizations observing suspected malicious activity should follow established internal procedures and report findings to **CISA**. ## Revision History * **Initial Release Date:** 2026-03-19