CTEK Chargeportal

Act Now9.4ICS-CERT ICSA-26-078-06Mar 19, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CTEK Chargeportal charging stations contain multiple authentication and credential storage vulnerabilities (CWE-306, CWE-307, CWE-613, CWE-522) that allow attackers to gain unauthorized administrative control. Successful exploitation enables attackers to take control of charging stations or disrupt charging services. CTEK is sunsetting this product in April 2026 with no patches planned.

What this means

What could happen

An attacker could gain unauthorized administrative control of EV charging stations, allowing them to disrupt charging services, modify station settings, or prevent legitimate users from accessing charging. This could impact transportation and energy infrastructure operations.

Who's at risk

Transportation and energy sector operators who deploy CTEK Chargeportal EV charging stations, particularly those with internet-connected or remotely managed charging networks used for fleet electrification, public charging infrastructure, or grid-connected charging services.

How it could be exploited

An attacker with network access to a Chargeportal charging station can bypass authentication controls due to missing or weak credential verification (CWE-306, CWE-307, CWE-613) and exploit improper credential storage (CWE-522) to gain administrative access without valid credentials.

Prerequisites

Network access to the Chargeportal charging station management interface
The charging station or portal must be reachable from the attacker's network (internet-accessible or internal network compromise)

remotely exploitableno authentication requiredlow complexityno patch availablevendor end-of-life product

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Chargeportal: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImmediately restrict network access to Chargeportal charging stations by placing them behind firewalls and isolating them from internet exposure and business networks

HARDENINGIf remote access to charging stations is required, implement a VPN connection and keep VPN software updated to the latest version

HARDENINGConduct a network risk assessment to identify which charging stations are currently exposed or accessible from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXPlan replacement or decommissioning of affected Chargeportal units before vendor end-of-life in April 2026 and contact CTEK for migration guidance

CVEs (4)

CVE-2026-25192 CVE-2026-27649 CVE-2026-31904 CVE-2026-28204

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9a0a7b94-a36c-4482-b901-e1e260853d36