CVE-2025-27803 is a vulnerability identified in the eCharge Hardy Barth cPH2 and cPP2 electric vehicle charging stations, specifically in firmware versions up to and including 2.2.0. The core issue is the complete absence of authentication mechanisms for both the web interface and the MQTT server used by these devices. This means that any attacker with network access to the charging station can immediately gain administrative privileges without needing any credentials or user interaction. Once administrative access is obtained, the attacker can perform arbitrary administrative actions such as reconfiguring the device, potentially disrupting charging operations, or accessing sensitive data stored or transmitted by the device. The vulnerability is categorized under CWE-306 (Missing Authentication for Critical Function), highlighting the failure to enforce authentication controls on critical management interfaces. The CVSS v3.1 score assigned is 6.5 (medium severity), reflecting a network attack vector with high complexity, no privileges required, and no user interaction needed. The impact on confidentiality is high, as sensitive data can be accessed, while integrity impact is low and availability impact is none according to the CVSS vector. No known exploits are reported in the wild as of the publication date. The lack of authentication on critical interfaces in IoT infrastructure devices like EV charging stations poses a significant security risk, especially as these devices are increasingly integrated into smart grids and critical infrastructure environments.

For European organizations, this vulnerability presents a notable risk given the widespread adoption of electric vehicles and the corresponding expansion of EV charging infrastructure across Europe. Charging stations are often deployed in public, semi-public, and private environments, including commercial parking lots, residential complexes, and municipal facilities. An attacker exploiting this vulnerability could disrupt charging services, leading to operational downtime and customer dissatisfaction. More critically, unauthorized administrative access could allow attackers to manipulate charging parameters, potentially causing hardware damage or safety hazards. Additionally, sensitive data such as usage logs, user credentials (if stored), or network configuration details could be exposed, leading to privacy violations or further network compromise. Given the increasing interconnection of charging stations with energy management systems and smart grids, exploitation could also serve as a foothold for broader attacks on energy infrastructure. European organizations involved in EV infrastructure, energy providers, and facility managers must consider these risks, especially as regulatory frameworks in Europe emphasize cybersecurity for critical infrastructure.

To mitigate this vulnerability effectively, organizations should prioritize the following actions: 1) Immediate firmware upgrade: Apply any available patches or firmware updates from eCharge Hardy Barth that introduce authentication mechanisms. If no patch is currently available, engage with the vendor to obtain a timeline or interim mitigations. 2) Network segmentation: Isolate charging stations on dedicated network segments with strict access controls, limiting network access only to trusted management systems and personnel. 3) Implement network-level authentication: Use VPNs or IPsec tunnels to restrict access to the devices’ management interfaces, ensuring that only authenticated and authorized users can reach them. 4) Monitor network traffic: Deploy intrusion detection/prevention systems (IDS/IPS) to detect anomalous access attempts or unauthorized configuration changes targeting the charging stations. 5) Physical security: Ensure physical access to the devices is restricted to prevent local network attacks or direct device manipulation. 6) Vendor engagement: Work closely with eCharge Hardy Barth to advocate for timely security updates and request detailed guidance on secure deployment practices. 7) Incident response planning: Prepare for potential exploitation scenarios by developing response plans that include device isolation, forensic analysis, and recovery procedures. These steps go beyond generic advice by focusing on compensating controls and vendor collaboration in the absence of immediate patches.