{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31904", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-03-12T16:52:46.513Z", "datePublished": "2026-03-20T22:45:17.571Z", "dateUpdated": "2026-03-23T14:16:28.724Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-20T22:45:17.571Z"}, "title": "CTEK Chargeportal Improper Restriction of Excessive Authentication Attempts", "datePublic": "2026-03-19T16:18:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-307", "description": "CWE-307", "type": "CWE"}]}], "affected": [{"vendor": "CTEK", "product": "Chargeportal", "versions": [{"status": "affected", "version": "All versions", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WebSocket Application Programming Interface lacks restrictions on the number of\u00a0authentication requests. This absence of rate limiting may allow an attacker to conduct\u00a0denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The WebSocket Application Programming Interface lacks restrictions on the number of&nbsp;authentication requests. This absence of rate limiting may allow an attacker to conduct&nbsp;denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access."}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json"}, {"url": "https://www.ctek.com/support"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}], "workarounds": [{"lang": "en", "value": "CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information\u00a0 https://www.ctek.com/support .", "supportingMedia": [{"type": "text/html", "base64": false, "value": "CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ctek.com/support\">https://www.ctek.com/support</a>."}]}], "credits": [{"lang": "en", "value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.", "type": "finder"}], "source": {"advisory": "ICSA-26-078-06", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T14:16:18.382158Z", "id": "CVE-2026-31904", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:16:28.724Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31904", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T14:16:18.382158Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:16:25.878Z"}}], "cna": {"title": "CTEK Chargeportal Improper Restriction of Excessive Authentication Attempts", "source": {"advisory": "ICSA-26-078-06", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CTEK", "product": "Chargeportal", "versions": [{"status": "affected", "version": "All versions", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-19T16:18:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json"}, {"url": "https://www.ctek.com/support"}], "workarounds": [{"lang": "en", "value": "CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information\u00a0 https://www.ctek.com/support .", "supportingMedia": [{"type": "text/html", "value": "CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ctek.com/support\">https://www.ctek.com/support</a>.", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The WebSocket Application Programming Interface lacks restrictions on the number of\u00a0authentication requests. This absence of rate limiting may allow an attacker to conduct\u00a0denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.", "supportingMedia": [{"type": "text/html", "value": "The WebSocket Application Programming Interface lacks restrictions on the number of&nbsp;authentication requests. This absence of rate limiting may allow an attacker to conduct&nbsp;denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-20T22:45:17.571Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31904", "state": "PUBLISHED", "dateUpdated": "2026-03-23T14:16:28.724Z", "dateReserved": "2026-03-12T16:52:46.513Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-03-20T22:45:17.571Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ctek:charge_portal:-:*:*:*:*:*:*:*", "matchCriteriaId": "C757F5E2-F4E7-464D-9184-BD665287E411", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WebSocket Application Programming Interface lacks restrictions on the number of\u00a0authentication requests. This absence of rate limiting may allow an attacker to conduct\u00a0denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access."}, {"lang": "es", "value": "La Interfaz de Programaci\u00f3n de Aplicaciones WebSocket carece de restricciones sobre el n\u00famero de solicitudes de autenticaci\u00f3n. Esta ausencia de limitaci\u00f3n de velocidad puede permitir a un atacante llevar a cabo ataques de denegaci\u00f3n de servicio suprimiendo o redirigiendo err\u00f3neamente la telemetr\u00eda leg\u00edtima del cargador, o llevar a cabo ataques de fuerza bruta para obtener acceso no autorizado."}], "id": "CVE-2026-31904", "lastModified": "2026-05-06T15:06:24.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-03-20T23:16:44.060", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["US Government Resource", "Third Party Advisory"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://www.ctek.com/support"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Chargeportal", "source": "cna", "vendor": "CTEK"}, "product": "chargeportal", "vendor": "ctek"}], "analysis": {"en": {"generated_at": "2026-03-21T07:05:37.168710+00:00", "value": {"mitigation_remediation": ["Contact CTEK for guidance on the sunset transition and any interim security guidance", "Restrict access to the Chargeportal WebSocket endpoint to authorized devices using firewall or VLAN rules", "Implement rate limiting or throttling on the WebSocket service at the network or application layer", "Monitor authentication logs for suspicious or repetitive authentication attempts"], "summary": {"action": "Assess Impact", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue affects the CTEK Chargeportal product. No specific version information is supplied, so all installations of this product are potentially impacted until the service is sunset.", "description_and_impact": "The vulnerability arises from the WebSocket API of CTEK Chargeportal lacking any restriction on how many authentication attempts can be made. This omission permits an attacker to repeatedly send authentication requests, enabling either brute\u2011force credential discovery or the suppression of legitimate charger telemetry, resulting in a denial\u2011of\u2011service condition for the affected charging infrastructure. The weakness is classified as CWE\u2011307: Authentication Bypass Through Excessive Login Attempts.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity, yet the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires network access to the WebSocket endpoint; no special authentication or privileged access is needed beyond the public interface. An attacker could simply flood the endpoint with login requests, causing service disruption or credential compromise for legitimate users. Because the product is slated for retirement, the long\u2011term risk to new deployments may be mitigated, but existing installations remain at high risk until appropriate controls are applied."}}}}, "created": "2026-03-23T09:52:17.730901+00:00", "updated": "2026-03-25T14:34:09.921462+00:00", "vendors": ["ctek", "ctek$PRODUCT$chargeportal"]}