Critical Authentication Bypass in IGL-Technologies eParking.fi Threatens EV Charging Infrastructure
All versions of IGL-Technologies eParking.fi contain critical authentication and access control vulnerabilities (CVSS 9.4) that could allow attackers to gain unauthorized administrative control over EV charging stations or launch denial-of-service attacks against charging services.
Affected
IGL-Technologies eParking.fi, an EV charging management platform, suffers from critical vulnerabilities in authentication mechanisms and access control functions affecting all released versions. The CVSS v3 score of 9.4 indicates near-maximum severity, with the primary attack vector being network-based and requiring no authentication—a classic pre-auth exploitation scenario. The vulnerability combination of missing authentication for critical functions and improper restrictions suggests attackers can interact with privileged operations without valid credentials.
From an operational technology perspective, this is particularly concerning because EV charging infrastructure represents emerging critical infrastructure. A compromised charging station could facilitate physical access attacks, financial fraud through unauthorized transactions, or widespread service disruption. The administrative control access mentioned in the advisory suggests attackers could modify charging parameters, redirect transactions, or manipulate station firmware. The denial-of-service capability could trigger broad outages affecting multiple stations simultaneously.
The fact that all versions are affected with no apparent patched version available indicates either a zero-day scenario or that vendor remediation has not yet been deployed. This universal impact maximizes the attack surface and suggests organizations cannot trivially upgrade to safety. Given that eParking.fi appears to be a backend management system for charging networks, a single compromised instance could affect multiple physical charging stations.
Defenders should immediately: (1) isolate eParking.fi systems from untrusted networks pending patches; (2) implement strict network segmentation between management systems and publicly-accessible charging stations; (3) deploy authentication proxies if available; (4) monitor for suspicious administrative access attempts; (5) contact IGL-Technologies for remediation timeline and interim controls. (6) Notify regional authorities managing EV infrastructure of exposure.
The broader implication is that as EV charging networks scale globally, legacy operational technology vulnerabilities are being exposed at critical infrastructure scale. This advisory should trigger comprehensive security audits of EV charging management platforms across all vendors, as similar authentication failures likely exist in competing products. CISA's emphasis on this vulnerability suggests elevated threat actors are targeting mobility infrastructure.
Sources