CVE-2025-55705 (GCVE-0-2025-55705)

Vulnerability from cvelistv5 – Published: 2026-01-22 22:32 – Updated: 2026-01-23 20:10
VLAI?
Title
EVMAPA Insufficient Session Expiration
Summary
This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. The lack of proper session management and expiration control allows attackers to exploit this weakness by reusing valid charging station IDs to establish multiple sessions concurrently.
Severity ?
7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
Assigner
References
Impacted products
Vendor Product Version
EVMAPA EVMAPA Affected: All versions
Create a notification for this product.
Credits
Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55705",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-23T20:10:35.019479Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-23T20:10:44.688Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "EVMAPA",
          "vendor": "EVMAPA",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This vulnerability occurs when the system permits multiple simultaneous \nconnections to the backend using the same charging station ID. This can \nresult in unauthorized access, data inconsistency, or potential \nmanipulation of charging sessions. The lack of proper session management\n and expiration control allows attackers to exploit this weakness by \nreusing valid charging station IDs to establish multiple sessions \nconcurrently."
            }
          ],
          "value": "This vulnerability occurs when the system permits multiple simultaneous \nconnections to the backend using the same charging station ID. This can \nresult in unauthorized access, data inconsistency, or potential \nmanipulation of charging sessions. The lack of proper session management\n and expiration control allows attackers to exploit this weakness by \nreusing valid charging station IDs to establish multiple sessions \nconcurrently."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-22T22:32:48.138Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "EVMAPA informed CISA they have resolved this issue and do not allow \nsimultaneous connection of charging stations with the same CBID.\n\n\u003cbr\u003e"
            }
          ],
          "value": "EVMAPA informed CISA they have resolved this issue and do not allow \nsimultaneous connection of charging stations with the same CBID."
        }
      ],
      "source": {
        "advisory": "ICSA-26-022-08",
        "discovery": "EXTERNAL"
      },
      "title": "EVMAPA Insufficient Session Expiration",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-55705",
    "datePublished": "2026-01-22T22:32:48.138Z",
    "dateReserved": "2025-08-20T20:20:15.075Z",
    "dateUpdated": "2026-01-23T20:10:44.688Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-55705\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2026-01-22T23:15:50.137\",\"lastModified\":\"2026-01-22T23:15:50.137\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"This vulnerability occurs when the system permits multiple simultaneous \\nconnections to the backend using the same charging station ID. This can \\nresult in unauthorized access, data inconsistency, or potential \\nmanipulation of charging sessions. The lack of proper session management\\n and expiration control allows attackers to exploit this weakness by \\nreusing valid charging station IDs to establish multiple sessions \\nconcurrently.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-613\"}]}],\"references\":[{\"url\":\"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55705\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-23T20:10:35.019479Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-23T20:10:40.473Z\"}}], \"cna\": {\"title\": \"EVMAPA Insufficient Session Expiration\", \"source\": {\"advisory\": \"ICSA-26-022-08\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"EVMAPA\", \"product\": \"EVMAPA\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"EVMAPA informed CISA they have resolved this issue and do not allow \\nsimultaneous connection of charging stations with the same CBID.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"EVMAPA informed CISA they have resolved this issue and do not allow \\nsimultaneous connection of charging stations with the same CBID.\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08\"}, {\"url\": \"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"This vulnerability occurs when the system permits multiple simultaneous \\nconnections to the backend using the same charging station ID. This can \\nresult in unauthorized access, data inconsistency, or potential \\nmanipulation of charging sessions. The lack of proper session management\\n and expiration control allows attackers to exploit this weakness by \\nreusing valid charging station IDs to establish multiple sessions \\nconcurrently.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"This vulnerability occurs when the system permits multiple simultaneous \\nconnections to the backend using the same charging station ID. This can \\nresult in unauthorized access, data inconsistency, or potential \\nmanipulation of charging sessions. The lack of proper session management\\n and expiration control allows attackers to exploit this weakness by \\nreusing valid charging station IDs to establish multiple sessions \\nconcurrently.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-613\", \"description\": \"CWE-613\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2026-01-22T22:32:48.138Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-55705\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-23T20:10:44.688Z\", \"dateReserved\": \"2025-08-20T20:20:15.075Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2026-01-22T22:32:48.138Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.