IGL-Technologies eParking.fi

Plan PatchCVSS 9.4ICS-CERT ICSA-26-078-07Mar 19, 2026

EnergyTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

eParking.fi contains multiple authentication and input validation weaknesses (CWE-306, CWE-307, CWE-613, CWE-522) that allow attackers without credentials to gain unauthorized administrative control of OCPP charging servers or conduct denial-of-service attacks. The vulnerability affects all versions of eParking.fi using unencrypted OCPP protocol. Deployments using encrypted OCPP or IGL-Technologies' proprietary eTolppa protocol are not affected. IGL-Technologies has updated its OCPP server infrastructure with stronger authentication, device whitelisting, rate-limiting, and monitoring, but no patch is available for existing customer deployments. The vendor has not planned security updates for customer-managed eParking instances.

What this means

What could happen

An attacker could gain unauthorized administrative control of EV charging stations or disrupt charging service availability. This could prevent legitimate vehicle charging, affecting fleet operations and public transportation schedules.

Who's at risk

Public EV charging operators, municipal utilities with charging networks, and transportation authorities using eParking.fi charging infrastructure. Impacts charging availability and fleet operations.

How it could be exploited

An attacker could exploit weak authentication and lack of device whitelisting on eParking.fi OCPP servers to send unauthorized commands to charging stations or flood the system with requests, disrupting charging operations. The attack requires network access to the OCPP server port but no credentials or user interaction.

Prerequisites

Network access to the eParking OCPP server (typically port 443 or 8080 for OCPP communication)
eParking.fi deployment using unencrypted OCPP protocol (encrypted or eTolppa protocol deployments are not affected)

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical charging infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

eParking.fi: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate eParking OCPP servers from the Internet using firewall rules; restrict OCPP connections to known charging station IP addresses only

WORKAROUNDEnable device-level whitelisting on eParking servers to allow only authorized charging units to connect

WORKAROUNDEnable rate-limiting controls on OCPP servers to mitigate denial-of-service attacks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGDeploy automated monitoring and alerting for abnormal OCPP network activity

HOTFIXMigrate to IGL-Technologies' encrypted OCPP deployment or proprietary eTolppa protocol if available

CVEs (4)

CVE-2026-31903 CVE-2026-32663 CVE-2026-29796 CVE-2026-31926

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e0862cb4-e549-406c-8277-16dec2689547

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.