Critical Authentication Bypass in IGL‑Technologies eParking.fi (CVE‑2026‑29796) Threatens Global EV Charging Infrastructure
What It Is – A critical authentication‑bypass vulnerability (CVE‑2026‑29796) in the WebSocket OCPP endpoint of IGL‑Technologies eParking.fi allows unauthenticated actors to impersonate charging stations, issue arbitrary OCPP commands, and manipulate backend data.
Exploitability – The flaw is publicly disclosed, has a CVSS v3.1 base score of 9.4 (Critical), and proof‑of‑concept exploits have been observed in the wild. No authentication is required to connect to the endpoint, making exploitation trivial.
Affected Products – All versions of IGL‑Technologies eParking.fi (eParking.fi vers: all/*).
TPRM Impact – The vulnerability can be leveraged to gain administrative control of EV charging stations owned or operated by a third‑party vendor, potentially disrupting service for downstream customers and exposing network‑level telemetry.
Recommended Actions –
- Immediately block external access to the OCPP WebSocket endpoint until a patch is applied.
- Deploy the vendor‑provided firmware update that enforces mutual TLS or token‑based authentication.
- Conduct a rapid inventory of all deployed eParking.fi stations and verify they are running the patched version.
- Review incident‑response playbooks for EV‑charging‑infrastructure compromise and test detection rules for anomalous OCPP traffic.
- Engage the supplier to obtain a timeline for remediation and confirm remediation status before re‑enabling external connectivity.
Source: CISA Advisory – IGL‑Technologies eParking.fi (CVE‑2026‑29796)