The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory about vulnerabilities in CTEK's Chargeportal platform that could allow attackers to seize administrative control of electric vehicle charging stations. The vulnerabilities, tracked as CVE-2024-31204 and CVE-2024-31205, carry a maximum CVSS score of 9.4, placing them in the critical severity category.

CISA's Industrial Control Systems (ICS) advisory warns that successful exploitation could enable unauthorized administrative access to the Chargeportal management system. This platform serves as the central control interface for CTEK's commercial EV charging infrastructure, allowing operators to monitor, manage, and configure charging stations remotely.

Technical Details of the Vulnerabilities

The vulnerabilities affect CTEK Chargeportal versions prior to 1.22.2. CVE-2024-31204 is an authentication bypass vulnerability that could allow attackers to gain administrative privileges without proper credentials. CVE-2024-31205 involves improper access control that could enable unauthorized users to perform administrative actions.

According to CISA's advisory, these vulnerabilities exist in the web-based management interface of the Chargeportal platform. Attackers could exploit them remotely without requiring authentication, making them particularly dangerous for internet-connected charging infrastructure.

Potential Impact on EV Charging Infrastructure

Successful exploitation of these vulnerabilities could have severe consequences for EV charging operations. Attackers with administrative access could potentially disable charging stations, manipulate charging rates, access user data, or disrupt entire charging networks. In a worst-case scenario, attackers could use compromised charging stations as entry points to broader corporate or utility networks.

The timing of this disclosure is particularly concerning as EV adoption accelerates globally. Public and commercial charging infrastructure represents critical infrastructure that supports transportation, commerce, and daily mobility for millions of users.

CTEK's Response and Mitigation Measures

CTEK has released version 1.22.2 of Chargeportal to address these vulnerabilities. The company recommends that all users immediately update to this version. For systems that cannot be updated immediately, CTEK suggests implementing network segmentation to isolate charging infrastructure from other networks and restricting access to the Chargeportal management interface to trusted IP addresses only.

CISA's advisory includes specific mitigation recommendations:
- Minimize network exposure for all control system devices
- Locate control system networks behind firewalls
- Use secure remote access methods like VPNs
- Implement multi-factor authentication where possible
- Regularly update and patch all systems

Broader Implications for EV Charging Security

This advisory highlights growing concerns about the security of EV charging infrastructure. As charging stations become more connected and sophisticated, they present increasingly attractive targets for cyber attackers. The CTEK vulnerabilities demonstrate how management portals—often web-based interfaces designed for convenience—can become single points of failure for entire charging networks.

The automotive and energy sectors have been working to establish security standards for EV charging infrastructure, but incidents like this show that implementation gaps remain. The high CVSS score (9.4) indicates these vulnerabilities are relatively easy to exploit and could cause significant impact if successfully attacked.

Recommendations for Charging Network Operators

Operators of CTEK charging infrastructure should take immediate action. First, verify the version of Chargeportal in use and update to version 1.22.2 if not already running this patched version. Second, conduct security assessments of charging network architecture, paying particular attention to how management interfaces are exposed to networks.

Network segmentation should be a priority—charging infrastructure should operate on dedicated networks separate from corporate IT systems. Access controls should be reviewed and strengthened, with particular attention to administrative interfaces. Regular security monitoring should be implemented to detect potential compromise attempts.

For organizations using multiple vendors' charging equipment, this incident serves as a reminder to apply consistent security standards across all infrastructure. Vendor management programs should include regular security assessments and patch management requirements.

The Evolving Threat Landscape for Critical Infrastructure

The CTEK advisory follows a pattern of increasing attention to industrial control system security. CISA has been particularly active in identifying and disclosing vulnerabilities in critical infrastructure components, from power grid equipment to transportation systems. The high CVSS score assigned to these vulnerabilities reflects their potential impact on essential services.

EV charging infrastructure sits at the intersection of transportation and energy—two sectors that have historically faced cybersecurity challenges. As these systems become more interconnected, vulnerabilities in one component can have cascading effects across multiple sectors.

Looking Forward: Security in the EV Ecosystem

This incident will likely accelerate security improvements across the EV charging industry. Manufacturers may face increased pressure to implement security-by-design principles in their products. Regulatory bodies may develop more specific security requirements for charging infrastructure, particularly for publicly accessible stations.

For CTEK specifically, the company will need to demonstrate that it has strengthened its security development lifecycle to prevent similar vulnerabilities in future releases. Transparency about security practices and rapid response to vulnerabilities will be crucial for maintaining customer trust.

The broader EV ecosystem—including automakers, charging network operators, and utility companies—should view this advisory as a wake-up call. Security cannot be an afterthought in infrastructure that supports essential transportation needs. Regular security assessments, prompt patching, and defense-in-depth strategies will be essential as EV adoption continues to grow.

Operators who act quickly to address these vulnerabilities can minimize their risk exposure. Those who delay may find themselves vulnerable to attacks that could disrupt charging services, compromise customer data, or damage their organization's reputation. In an increasingly connected transportation ecosystem, security is no longer optional—it's fundamental to reliable operation.