Critical Authentication Bypass in CTEK Chargeportal (CVE‑2026‑25192) Threatens Global EV Charging Infrastructure
What It Is – A critical authentication‑bypass flaw (CVE‑2026‑25192) in the CTEK Chargeportal management platform allows an unauthenticated actor to connect to the OCPP WebSocket endpoint, impersonate any charging station, and issue privileged commands. The vulnerability scores 9.4 (CVSS v3), indicating a severe risk of remote code execution, data manipulation, and service disruption.
Exploitability – The flaw is publicly disclosed by CISA; proof‑of‑concept code exists and the vulnerability is exploitable over the internet without credentials. No public exploit kits have been observed yet, but the low barrier to abuse makes active exploitation plausible.
Affected Products – All versions of CTEK Chargeportal (the web‑based portal used to monitor and control EV charging stations).
TPRM Impact –
- Compromise of a charging‑station provider can cascade to fleet operators, utilities, and municipalities that rely on the platform.
- Unauthorized control may corrupt usage data, affect billing, and disrupt energy‑load balancing, creating downstream supply‑chain risk.
- The vulnerability spans Energy and Transportation sectors worldwide, exposing any third‑party that integrates CTEK Chargeportal into its operations.
Recommended Actions –
- Apply the vendor‑released patch or upgrade to the latest supported version immediately.
- Enforce network segmentation: isolate charging‑station traffic from corporate and OT networks.
- Deploy TLS‑encrypted OCPP connections and enforce mutual authentication for all WebSocket endpoints.
- Monitor for anomalous OCPP commands and failed authentication attempts.
- Conduct a rapid risk assessment of all third‑party contracts that depend on CTEK Chargeportal and update contractual security clauses.
Source: CISA Advisory – ICSA‑26‑078‑06