Chargemap chargemap.com

Act Now9.4ICS-CERT ICSA-26-057-05Feb 26, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Chargemap charging stations contain multiple authentication and credential management vulnerabilities (CWE-306, CWE-307, CWE-522, CWE-613) that could allow attackers to gain unauthorized administrative control or disrupt charging services through denial-of-service. The vulnerabilities affect all versions of chargemap.com's charging station software. The vendor did not respond to CISA coordination requests.

What this means

What could happen

An attacker could gain unauthorized administrative control over electric vehicle charging stations, potentially disrupting charging services or redirecting power/data flows. This could prevent vehicle charging, cause financial loss, or enable physical tampering with connected infrastructure.

Who's at risk

Organizations operating Chargemap electric vehicle charging stations, including fleet operators, municipalities with public EV charging networks, and enterprises with employee charging infrastructure. This affects the availability and control of EV charging services.

How it could be exploited

An attacker on the network could exploit missing or weak authentication mechanisms (CWE-306, CWE-307, CWE-522) to gain administrative access to the charging station without valid credentials. Once authenticated, the attacker could execute unauthorized commands or trigger denial-of-service conditions to disable charging functionality.

Prerequisites

Network access to the charging station's management interface or API endpoint
No valid administrative credentials required

Remotely exploitableNo authentication requiredNo patch availableVendor unresponsive to coordinationAffects critical energy infrastructure

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

chargemap.com: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDContact Chargemap through their support page at https://chargemap.com/en-us/support to request security information and interim mitigation guidance

HARDENINGDeploy firewall rules to restrict administrative access to charging stations to authorized management workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor charging station logs for unauthorized access attempts or administrative actions

Mitigations - no patch available

0/1

chargemap.com: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate charging station management interfaces from untrusted networks

CVEs (4)

CVE-2026-25851 CVE-2026-20792 CVE-2026-25711 CVE-2026-20791

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8ca159e6-b865-4bbe-80f6-3d61755e935a