CTEK Chargeportal

Plan PatchCVSS 9.4ICS-CERT ICSA-26-078-06Mar 19, 2026

CarrierEnergyTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CTEK Chargeportal contains multiple authentication and credential storage weaknesses (CWE-306, CWE-307, CWE-522, CWE-613) affecting all versions. Successful exploitation enables attackers to gain unauthorized administrative control over charging stations or disrupt charging services. The vendor has announced end-of-life for this product in April 2026 with no patches planned.

What this means

What could happen

An attacker could gain unauthorized administrative access to charging stations and potentially disrupt charging services, affecting transportation and vehicle charging infrastructure across your region.

Who's at risk

Organizations operating electric vehicle charging networks—including municipal utilities, regional transportation authorities, and EV charging operators—are affected. This applies to anyone managing Chargeportal charging station management systems across all versions.

How it could be exploited

An attacker with network access to a Chargeportal instance could exploit missing or weak authentication controls (CWE-306, CWE-307) combined with insecure credential storage (CWE-522) to gain administrative access without valid credentials. Once authenticated, the attacker could modify charging station settings, disable stations, or disrupt service through denial-of-service methods.

Prerequisites

Network access to the Chargeportal device or web interface
The device is reachable from an untrusted network (internet or unsegmented business network)

No patch available (product end-of-life)Remotely exploitable over networkNo authentication requiredLow complexity to exploitAffects critical charging infrastructureDefault or weak credentials possible

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Chargeportal: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDImmediately restrict network access to Chargeportal devices—do not expose them to the Internet or unsegmented business networks. Use firewall rules to allow connections only from authorized management networks.

HARDENINGIf remote access is required, implement a VPN gateway as the sole access point to Chargeportal systems and keep VPN firmware updated to the latest available version.

WORKAROUNDContact CTEK support (https://www.ctek.com/support) to understand your end-of-life options and confirm your current version is no longer receiving updates.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIsolate Chargeportal systems on a dedicated network segment separate from business networks and charging station data networks.

HOTFIXPlan decommissioning of Chargeportal before the vendor sunset date in April 2026. Evaluate and procure a replacement charging management platform now.

CVEs (4)

CVE-2026-25192 CVE-2026-27649 CVE-2026-31904 CVE-2026-28204

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9a0a7b94-a36c-4482-b901-e1e260853d36

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.