EVMAPA

Plan PatchCVSS 9.4ICS-CERT ICSA-26-022-08Jan 22, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

EVMAPA charging stations contain multiple authentication and authorization flaws (CWE-306, CWE-307, CWE-613) that allow unauthenticated or weakly authenticated remote command execution. Vulnerabilities affect charging station status reporting and control via OCPP (Open Charge Point Protocol). CVE-2025-54816 allows attackers to change authorization keys on stations that support key modification. CVE-2025-53968 has no vendor statement. CVE-2025-55705 involves duplicate CBID (Charge Box ID) connections that could allow spoofing. All versions of EVMAPA are currently affected with no vendor patch released.

What this means

What could happen

An attacker with network access to EVMAPA charging stations could execute arbitrary commands on the station, manipulate charging status to cause billing fraud or service disruption, or trigger denial-of-service conditions affecting the ability to charge electric vehicles.

Who's at risk

Electric vehicle (EV) charging network operators and municipalities deploying EVMAPA charging stations are affected. This is critical for any organization managing a fleet of charging stations, whether public, private, or fleet-based, as it could allow attackers to spoof charging status or deny service to customers.

How it could be exploited

An attacker could send unauthenticated or weakly authenticated requests over the network to EVMAPA charging stations to bypass authorization checks (CWE-306, CWE-307) and execute commands. Weak or missing credential validation (CWE-613) allows the attacker to impersonate a legitimate station or operator without proper authentication.

Prerequisites

Network access to EVMAPA charging station over standard protocols (OCPP/WebSocket or direct network connection)
No valid credentials required for exploitation of CWE-306 and CWE-307 vulnerabilities

remotely exploitableno authentication requiredlow complexityno patch availableactively developed mitigations

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

EVMAPA: vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate EVMAPA charging stations on a dedicated network segment or VLAN with strict firewall rules limiting access to authorized operators only

WORKAROUNDIf your stations support WebSocket Secure (WSS), enforce WSS connections instead of plain WebSocket to encrypt authentication traffic

WORKAROUNDDisable or restrict remote management access to charging stations except from known operator workstations or management networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXContact EVMAPA directly for details on CVE-2025-53968 and for timeline on BASIC authorization control implementation in OCPP 2.x stations

HOTFIXWhen EVMAPA releases updates implementing BASIC authorization for OCPP 2.x and newer stations, apply the firmware update to all affected charging stations during scheduled maintenance windows

HARDENINGVerify that your charging stations do not allow simultaneous connections using the same CBID (Charge Box ID) to prevent spoofing or status manipulation attacks

CVEs (3)

CVE-2025-54816 CVE-2025-53968 CVE-2025-55705

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5a0825ae-107e-4b6c-9458-984004020317

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.