CVE-2025-54816 PUBLISHED

EVMAPA Missing Authentication for Critical Function

Assigner: icscert
Reserved: 20.08.2025 Published: 22.01.2026 Updated: 23.01.2026

This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CVSS Score: 9.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	EVMAPA
Product	EVMAPA
Versions	Default: unaffected Version All versions is affected

Workarounds

EVMAPA informed CISA some of their charging stations do not allow changes to the authorization key using the Open Charge Point Protocol (OCPP). Currently, charge point operators have the option to connect stations using WebSocket Secure (WSS), and EVMAPA connects stations they supply via their own VPN. For OCPP 2.x and newer stations, EVMAPA plans to implement BASIC authorization control.

Credits

Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA finder

References

Problem Types

CWE-306 CWE