External risk intelligence

Attacker can control EV charging stations and steal data

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-29796

A critical flaw in igl's eparking.fi software allows anyone to impersonate electric vehicle charging stations and control them remotely, potentially disrupting operations and corrupting data across the network.

5Halo Surface Signal

Missing Authentication

Igl Eparking Fi

External exposure likelihood

Halo Surface Signal score for CVE-2026-29796

The vulnerability exists in OCPP WebSocket endpoints designed to facilitate communication between charging stations and backend management systems. These endpoints are intended to be public-facing or internet-reachable to support distributed charging infrastructure, and the lack of authentication allows any external actor to interact with the service as a legitimate charging station by design.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves a flaw in how charging station communication is secured, allowing unauthorized access. Without proper authentication, an attacker can impersonate a charging station and send or receive commands. This could lead to control over charging infrastructure and corrupted data.

  • Unauthorized control of charging stations.
  • Manipulation of charging network data.
  • Attacker can act as a legitimate charger.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can impersonate charging stations by connecting to the OCPP WebSocket endpoint. This allows them to send or receive commands as a legitimate device, potentially leading to unauthorized control and data manipulation within the charging network.

  • Target WebSocket endpoint.
  • Impersonate charging stations.
  • Manipulate charging data.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to impersonate charging stations and manipulate data. The lack of authentication on WebSocket endpoints means attackers can directly interact with the charging infrastructure, potentially leading to widespread disruption and data corruption across the network. While the specific target is niche, the impact on critical infrastructure makes it a concerning threat.

  • Exploitation relies on direct network access.
  • No known public exploits exist.
  • Vulnerability affects charging station management.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate containment of affected charging stations and their associated backend services to prevent unauthorized control and data manipulation. Focus on identifying any instances of station impersonation or data anomalies within your charging network telemetry. Given the critical nature and potential for widespread impact, isolating these services is crucial until robust authentication and authorization controls are implemented and verified.

  • Isolate affected charging stations.
  • Monitor for unauthorized station activity.
  • Implement strong WebSocket authentication.

Frequently asked questions

What is igl eparking.fi and its function in EV charging infrastructure?

igl eparking.fi is a software platform used to manage electric vehicle (EV) charging stations. It enables communication between charging stations and backend systems, allowing for remote monitoring and control of the charging infrastructure.

What is the weakness class for CVE-2026-29796?

CVE-2026-29796 falls under the weakness class CWE-306, which describes 'authentication bypass using predictable context-dependent attack vectors'. This indicates that the system does not sufficiently verify the identity of users or devices attempting to access its functions.

How can an attacker exploit CVE-2026-29796 to gain unauthorized access?

An attacker can exploit this vulnerability by connecting to the OCPP WebSocket endpoint using a known or discovered charging station identifier. Since no authentication is required, the attacker can then issue or receive OCPP commands as if they were a legitimate charger, leading to unauthorized control and data manipulation.

What is the relevance of CVE-2026-29796 to electric vehicle charging networks?

The relevance of this vulnerability is significant as it allows unauthenticated attackers to impersonate EV charging stations and manipulate data. This can result in unauthorized control over charging infrastructure and corruption of data reported to the backend, potentially impacting network operations and user trust.

What are the recommended steps to address the CVE-2026-29796 vulnerability?

To address this vulnerability, it is crucial to prioritize the containment of affected charging stations and their associated backend services. Monitoring for unauthorized station activity and implementing strong authentication and authorization controls for WebSocket connections are essential steps to prevent unauthorized access and data manipulation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified