CVE-2025-55705
published 2026-01-22CVE-2025-55705: This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.30%
21.6th percentile
This vulnerability occurs when the system permits multiple simultaneous
connections to the backend using the same charging station ID. This can
result in unauthorized access, data inconsistency, or potential
manipulation of charging sessions. The lack of proper session management
and expiration control allows attackers to exploit this weakness by
reusing valid charging station IDs to establish multiple sessions
concurrently.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| evmapa | evmapa | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for session reuse patterns on OCPP WebSocket endpoints where the same CBID (Charge Box ID) appears in more than one active session simultaneously, which is the direct attack primitive for this vulnerability. ↗
- →Alert on unauthenticated WebSocket connection attempts to EVMAPA OCPP endpoints (related CVE-2025-54816); absence of authentication headers/tokens on WebSocket upgrade requests to the charging management backend is a strong indicator of abuse. ↗
- →Detect brute-force or high-rate authentication attempt patterns against EVMAPA OCPP endpoints (related CVE-2025-53968); a high volume of authentication requests from a single source in a short time window indicates exploitation. ↗
- ·All versions of EVMAPA are affected (vers:all/*); there is no version-based scoping possible for detection — any EVMAPA deployment should be treated as vulnerable until patched. ↗
- ·The vendor fix for CVE-2025-55705 is a backend-side enforcement change (blocking simultaneous same-CBID connections); detection logic should verify the backend has actually enforced this, as the fix is self-reported by the vendor with no independent verification noted. ↗
- ·For CVE-2025-54816 (unauthenticated WebSocket), the vendor mitigation is partial: some charging stations do not support changing the authorization key via OCPP, limiting the ability to enforce authentication universally. ↗
- ·No known public exploitation of CVE-2025-55705 has been reported to CISA at time of advisory publication; threat hunting should be prioritized over reactive alerting in the near term. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-857q-pww2-xgv7: This vulnerability occurs when the system permits multiple simultaneous
connections to the backend using the same charging station ID
ghsa_unreviewed·2026-01-23
CVE-2025-55705 [HIGH] CWE-613 GHSA-857q-pww2-xgv7: This vulnerability occurs when the system permits multiple simultaneous
connections to the backend using the same charging station ID
This vulnerability occurs when the system permits multiple simultaneous
connections to the backend using the same charging station ID. This can
result in unauthorized access, data inconsistency, or potential
manipulation of charging sessions. The lack of proper session management
and expiration control allows attackers to exploit this weakness by
reusing valid charging station IDs to establish multiple sessions
concurrently.
CISA ICS
EVMAPA
cisa_ics·2026-01-22·CVSS 7.5
[HIGH] EVMAPA
ICS Advisory
##
EVMAPA
Release DateJanuary 22, 2026
Alert CodeICSA-26-022-08
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could lead to degraded service, a denial-of-service, or unauthorized remote command execution, which could lead to spoofing or a manipulation of charging station statuses.
The following versions of EVMAPA are affected:
- EVMAPA (CVE-2025-54816, CVE-2025-53968, CVE-2025-55705)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.4
| EVMAPA
| EVMAPA
| Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration
## Background
- Critical Infrastructure Sectors:
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-01-22
Published