{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-54816","assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","state":"PUBLISHED","assignerShortName":"icscert","dateReserved":"2025-08-20T20:20:15.065Z","datePublished":"2026-01-22T22:40:55.625Z","dateUpdated":"2026-01-23T20:12:02.940Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"EVMAPA","vendor":"EVMAPA","versions":[{"status":"affected","version":"All versions"}]}],"credits":[{"lang":"en","type":"finder","value":"Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"This vulnerability occurs when a WebSocket endpoint does not enforce \nproper authentication mechanisms, allowing unauthorized users to \nestablish connections. As a result, attackers can exploit this weakness \nto gain unauthorized access to sensitive data or perform unauthorized \nactions. Given that no authentication is required, this can lead to \nprivilege escalation and potentially compromise the security of the \nentire system.\n\n<br>"}],"value":"This vulnerability occurs when a WebSocket endpoint does not enforce \nproper authentication mechanisms, allowing unauthorized users to \nestablish connections. As a result, attackers can exploit this weakness \nto gain unauthorized access to sensitive data or perform unauthorized \nactions. Given that no authentication is required, this can lead to \nprivilege escalation and potentially compromise the security of the \nentire system."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":9.4,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-306","description":"CWE-306","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2026-01-22T22:40:55.625Z"},"references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08"},{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json"}],"source":{"advisory":"ICSA-26-022-08","discovery":"EXTERNAL"},"title":"EVMAPA Missing Authentication for Critical Function","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"EVMAPA informed CISA some of their charging stations do not allow \nchanges to the authorization key using the Open Charge Point Protocol \n(OCPP). Currently, charge point operators have the option to connect \nstations using WebSocket Secure (WSS), and EVMAPA connects stations they\n supply via their own VPN. For OCPP 2.x and newer stations, EVMAPA plans\n to implement BASIC authorization control."}],"value":"EVMAPA informed CISA some of their charging stations do not allow \nchanges to the authorization key using the Open Charge Point Protocol \n(OCPP). Currently, charge point operators have the option to connect \nstations using WebSocket Secure (WSS), and EVMAPA connects stations they\n supply via their own VPN. For OCPP 2.x and newer stations, EVMAPA plans\n to implement BASIC authorization control."}],"x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-23T20:11:52.287743Z","id":"CVE-2025-54816","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-23T20:12:02.940Z"}}]}}