EVMAPA

Act Now9.4ICS-CERT ICSA-26-022-08Jan 22, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

EVMAPA charging station management system contains three vulnerabilities related to weak or missing authentication and authorization controls in the OCPP (Open Charge Point Protocol) interface. CVE-2025-54816 affects stations that do not enforce authorization key changes, allowing unauthorized command execution and status manipulation. CVE-2025-53968 details are not disclosed by the vendor. CVE-2025-55705 addressed duplicate CBID (Charge Box ID) simultaneous connections, which could enable spoofing attacks. Exploitation could result in unauthorized control of charging station operations, denial of service, or manipulation of billing/status data.

What this means

What could happen

An attacker with network access to EVMAPA charging station systems could execute remote commands to manipulate or spoof charging station status, disrupt service availability, or gain unauthorized control over the charging infrastructure.

Who's at risk

Electric utility operators and charging station management teams responsible for EV charging infrastructure. Affects EVMAPA charging stations across all versions used for public or fleet charging operations.

How it could be exploited

An attacker with network access to the charging station management system (likely the OCPP interface or WebSocket connection) could exploit missing or weak authentication controls to send unauthorized commands that alter charging station state, status reporting, or operational parameters.

Prerequisites

Network access to OCPP management interface or WebSocket connections to charging stations
No valid credentials required for CVE-2025-54816 and CVE-2025-55705 exploitation

Remotely exploitableNo authentication required (CVE-2025-54816, CVE-2025-55705)Low complexityNo patch availableAffects critical charging infrastructure

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

EVMAPA: vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/4

HOTFIXFor OCPP 2.x and newer charging stations, verify EVMAPA has deployed BASIC authorization control; contact vendor for deployment timeline and confirmation

HARDENINGEnsure all charging stations connect exclusively via WebSocket Secure (WSS) rather than unencrypted WebSocket to encrypt credentials in transit

HARDENINGVerify EVMAPA-supplied stations are configured to connect through the vendor VPN rather than direct network access

WORKAROUNDMonitor for OCPP connections using duplicate CBIDs (Charge Box IDs), as simultaneous duplicate connections indicate potential spoofing attacks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to isolate charging station management traffic from other OT/IT systems

WORKAROUNDContact EVMAPA directly for details on CVE-2025-53968 and recommended mitigations

CVEs (3)

CVE-2025-54816 CVE-2025-53968 CVE-2025-55705

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5a0825ae-107e-4b6c-9458-984004020317