cbcvebase.
CVE-2025-55705
published 2026-01-22

CVE-2025-55705: This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.30%
21.6th percentile
This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. The lack of proper session management and expiration control allows attackers to exploit this weakness by reusing valid charging station IDs to establish multiple sessions concurrently.

Affected

1 ranges
VendorProductVersion rangeFixed in
evmapaevmapa

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for session reuse patterns on OCPP WebSocket endpoints where the same CBID (Charge Box ID) appears in more than one active session simultaneously, which is the direct attack primitive for this vulnerability.
  • Alert on unauthenticated WebSocket connection attempts to EVMAPA OCPP endpoints (related CVE-2025-54816); absence of authentication headers/tokens on WebSocket upgrade requests to the charging management backend is a strong indicator of abuse.
  • Detect brute-force or high-rate authentication attempt patterns against EVMAPA OCPP endpoints (related CVE-2025-53968); a high volume of authentication requests from a single source in a short time window indicates exploitation.
  • ·All versions of EVMAPA are affected (vers:all/*); there is no version-based scoping possible for detection — any EVMAPA deployment should be treated as vulnerable until patched.
  • ·The vendor fix for CVE-2025-55705 is a backend-side enforcement change (blocking simultaneous same-CBID connections); detection logic should verify the backend has actually enforced this, as the fix is self-reported by the vendor with no independent verification noted.
  • ·For CVE-2025-54816 (unauthenticated WebSocket), the vendor mitigation is partial: some charging stations do not support changing the authorization key via OCPP, limiting the ability to enforce authentication universally.
  • ·No known public exploitation of CVE-2025-55705 has been reported to CISA at time of advisory publication; threat hunting should be prioritized over reactive alerting in the near term.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.