Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.
https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01