cbcvebase.
CVE-2025-54816
published 2026-01-22

CVE-2025-54816: This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.42%
33.5th percentile
This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.

Affected

1 ranges
VendorProductVersion rangeFixed in
evmapaevmapa

Detection & IOCsextracted from sources · hover to see the quote

  • Target unauthenticated WebSocket endpoints in EVMAPA charging station management backend; any WebSocket connection established without authentication credentials should be flagged as suspicious
  • Monitor for WebSocket connections to EVMAPA backend that lack BASIC authorization headers or WSS (WebSocket Secure) negotiation, particularly over plain WS
  • Alert on privilege escalation attempts or unauthorized command execution originating from unauthenticated WebSocket sessions against EVMAPA OCPP endpoints
  • Detect exploitation attempts via network: look for inbound WebSocket upgrade requests (HTTP 101) to EVMAPA OCPP endpoints from untrusted/external IP ranges with no authentication material (no Authorization header, no token)
  • ·All versions of EVMAPA are affected (vers:all/*); no version-based scoping is possible for detection — treat all deployed instances as vulnerable until patched
  • ·The vulnerability is specific to the OCPP WebSocket endpoint; EVMAPA's interim mitigation is VPN-based isolation for stations they supply, not a code fix — detections should account for VPN-tunnelled traffic still being at risk if the VPN is compromised
  • ·No known public exploitation has been reported at time of advisory publication; detections are pre-emptive
  • ·Deployment is geographically limited to Czechia and Slovakia; scope network monitoring accordingly
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.