Search criteria
3 vulnerabilities by EVMAPA
CVE-2025-54816 (GCVE-0-2025-54816)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:40 – Updated: 2026-01-23 20:12
VLAI?
Title
EVMAPA Missing Authentication for Critical Function
Summary
This vulnerability occurs when a WebSocket endpoint does not enforce
proper authentication mechanisms, allowing unauthorized users to
establish connections. As a result, attackers can exploit this weakness
to gain unauthorized access to sensitive data or perform unauthorized
actions. Given that no authentication is required, this can lead to
privilege escalation and potentially compromise the security of the
entire system.
Severity ?
9.4 (Critical)
CWE
Assigner
References
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T20:11:52.287743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T20:12:02.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EVMAPA",
"vendor": "EVMAPA",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability occurs when a WebSocket endpoint does not enforce \nproper authentication mechanisms, allowing unauthorized users to \nestablish connections. As a result, attackers can exploit this weakness \nto gain unauthorized access to sensitive data or perform unauthorized \nactions. Given that no authentication is required, this can lead to \nprivilege escalation and potentially compromise the security of the \nentire system.\n\n\u003cbr\u003e"
}
],
"value": "This vulnerability occurs when a WebSocket endpoint does not enforce \nproper authentication mechanisms, allowing unauthorized users to \nestablish connections. As a result, attackers can exploit this weakness \nto gain unauthorized access to sensitive data or perform unauthorized \nactions. Given that no authentication is required, this can lead to \nprivilege escalation and potentially compromise the security of the \nentire system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:40:55.625Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json"
}
],
"source": {
"advisory": "ICSA-26-022-08",
"discovery": "EXTERNAL"
},
"title": "EVMAPA Missing Authentication for Critical Function",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EVMAPA informed CISA some of their charging stations do not allow \nchanges to the authorization key using the Open Charge Point Protocol \n(OCPP). Currently, charge point operators have the option to connect \nstations using WebSocket Secure (WSS), and EVMAPA connects stations they\n supply via their own VPN. For OCPP 2.x and newer stations, EVMAPA plans\n to implement BASIC authorization control."
}
],
"value": "EVMAPA informed CISA some of their charging stations do not allow \nchanges to the authorization key using the Open Charge Point Protocol \n(OCPP). Currently, charge point operators have the option to connect \nstations using WebSocket Secure (WSS), and EVMAPA connects stations they\n supply via their own VPN. For OCPP 2.x and newer stations, EVMAPA plans\n to implement BASIC authorization control."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-54816",
"datePublished": "2026-01-22T22:40:55.625Z",
"dateReserved": "2025-08-20T20:20:15.065Z",
"dateUpdated": "2026-01-23T20:12:02.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53968 (GCVE-0-2025-53968)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:37 – Updated: 2026-01-23 20:11
VLAI?
Title
EVMAPA Improper Restriction of Excessive Authentication Attempts
Summary
This vulnerability arises because there are no limitations on the number
of authentication attempts a user can make. An attacker can exploit
this weakness by continuously sending authentication requests, leading
to a denial-of-service (DoS) condition. This can overwhelm the
authentication system, rendering it unavailable to legitimate users and
potentially causing service disruption. This can also allow attackers to
conduct brute-force attacks to gain unauthorized access.
Severity ?
7.5 (High)
CWE
Assigner
References
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T20:11:20.099000Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T20:11:29.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EVMAPA",
"vendor": "EVMAPA",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability arises because there are no limitations on the number\n of authentication attempts a user can make. An attacker can exploit \nthis weakness by continuously sending authentication requests, leading \nto a denial-of-service (DoS) condition. This can overwhelm the \nauthentication system, rendering it unavailable to legitimate users and \npotentially causing service disruption. This can also allow attackers to\n conduct brute-force attacks to gain unauthorized access.\n\n\u003cbr\u003e"
}
],
"value": "This vulnerability arises because there are no limitations on the number\n of authentication attempts a user can make. An attacker can exploit \nthis weakness by continuously sending authentication requests, leading \nto a denial-of-service (DoS) condition. This can overwhelm the \nauthentication system, rendering it unavailable to legitimate users and \npotentially causing service disruption. This can also allow attackers to\n conduct brute-force attacks to gain unauthorized access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:37:36.978Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json"
}
],
"source": {
"advisory": "ICSA-26-022-08",
"discovery": "EXTERNAL"
},
"title": "EVMAPA Improper Restriction of Excessive Authentication Attempts",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EVMAPA did not release a statement regarding this vulnerability. Contact EVMAPA directly for more information.\n\n\u003cbr\u003e"
}
],
"value": "EVMAPA did not release a statement regarding this vulnerability. Contact EVMAPA directly for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53968",
"datePublished": "2026-01-22T22:37:36.978Z",
"dateReserved": "2025-08-20T20:20:15.044Z",
"dateUpdated": "2026-01-23T20:11:29.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55705 (GCVE-0-2025-55705)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:32 – Updated: 2026-01-23 20:10
VLAI?
Title
EVMAPA Insufficient Session Expiration
Summary
This vulnerability occurs when the system permits multiple simultaneous
connections to the backend using the same charging station ID. This can
result in unauthorized access, data inconsistency, or potential
manipulation of charging sessions. The lack of proper session management
and expiration control allows attackers to exploit this weakness by
reusing valid charging station IDs to establish multiple sessions
concurrently.
Severity ?
7.3 (High)
CWE
Assigner
References
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T20:10:35.019479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T20:10:44.688Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EVMAPA",
"vendor": "EVMAPA",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability occurs when the system permits multiple simultaneous \nconnections to the backend using the same charging station ID. This can \nresult in unauthorized access, data inconsistency, or potential \nmanipulation of charging sessions. The lack of proper session management\n and expiration control allows attackers to exploit this weakness by \nreusing valid charging station IDs to establish multiple sessions \nconcurrently."
}
],
"value": "This vulnerability occurs when the system permits multiple simultaneous \nconnections to the backend using the same charging station ID. This can \nresult in unauthorized access, data inconsistency, or potential \nmanipulation of charging sessions. The lack of proper session management\n and expiration control allows attackers to exploit this weakness by \nreusing valid charging station IDs to establish multiple sessions \nconcurrently."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:32:48.138Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EVMAPA informed CISA they have resolved this issue and do not allow \nsimultaneous connection of charging stations with the same CBID.\n\n\u003cbr\u003e"
}
],
"value": "EVMAPA informed CISA they have resolved this issue and do not allow \nsimultaneous connection of charging stations with the same CBID."
}
],
"source": {
"advisory": "ICSA-26-022-08",
"discovery": "EXTERNAL"
},
"title": "EVMAPA Insufficient Session Expiration",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-55705",
"datePublished": "2026-01-22T22:32:48.138Z",
"dateReserved": "2025-08-20T20:20:15.075Z",
"dateUpdated": "2026-01-23T20:10:44.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}