IGL-Technologies eParking.fi

Act Now9.4ICS-CERT ICSA-26-078-07Mar 19, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

eParking.fi contains multiple authentication and authorization flaws (CWE-306, CWE-307, CWE-613, CWE-522) in its OCPP server implementation that allow attackers to gain unauthorized administrative control of charging stations or launch denial-of-service attacks. All versions are affected. Devices using IGL-Technologies' encrypted OCPP deployment or proprietary eTolpla protocol are not vulnerable. IGL-Technologies has released server-side updates implementing stronger authentication, device whitelisting, rate-limiting, and enhanced monitoring but has not released client-side firmware fixes for affected charging units.

What this means

What could happen

An attacker could gain administrative control of EV charging stations or disable charging services, disrupting transportation infrastructure and potentially affecting grid stability if the stations are connected to energy management systems.

Who's at risk

Electric utilities and transportation authorities operating eParking.fi charging stations should prioritize this. Vulnerability affects all versions of eParking.fi, particularly deployments using the standard OCPP protocol without encryption. Energy companies managing EV charging networks and public transportation agencies with fleet charging infrastructure are directly impacted.

How it could be exploited

An attacker on the network can exploit weak authentication and authorization controls in the eParking.fi OCPP (Open Charge Point Protocol) server to impersonate authorized charging units or send malicious commands. This requires network access to the OCPP server endpoints, which may be exposed to the internet or reachable from untrusted networks.

Prerequisites

Network access to eParking.fi OCPP server endpoints
No valid credentials required to exploit authentication weaknesses
Attacker must be able to reach the server from their network position

remotely exploitableno authentication requiredlow complexity attackhigh CVSS score (9.4)no vendor patch availableaffects critical infrastructure (charging and grid operations)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

eParking.fi: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/5

HARDENINGContact IGL-Technologies to verify your eParking deployment is using the encrypted OCPP server variant or proprietary eTolppa protocol, which are not affected by these vulnerabilities

HOTFIXIf using unencrypted OCPP, request immediate deployment of IGL-Technologies OCPP server updates that enforce modern security profiles and stronger authentication

WORKAROUNDImplement device-level whitelisting at the eParking server to ensure only known, authorized charging units can connect

WORKAROUNDEnable rate-limiting controls on OCPP server to prevent excessive requests and reduce denial-of-service risk

HARDENINGPlace eParking.fi OCPP servers behind a firewall and isolate from the internet; restrict access to only authorized management networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGEnable automated monitoring and alerting on the OCPP server to detect abnormal network activity or unauthorized connection attempts

HARDENINGIf remote access to charging infrastructure is required, implement a VPN with current security updates and restrict access to specific authorized users

CVEs (4)

CVE-2026-31903 CVE-2026-32663 CVE-2026-29796 CVE-2026-31926

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e0862cb4-e549-406c-8277-16dec2689547