CVE-2025-27803 identifies a critical security vulnerability in the eCharge Hardy Barth cPH2 and cPP2 electric vehicle charging stations, specifically due to the absence of any authentication mechanisms on both the web interface and the MQTT server. These interfaces are critical for device management and configuration. Without authentication, any attacker with network access—whether local or via a compromised network segment—can gain full administrative privileges instantly. This enables the attacker to perform arbitrary administrative actions, including reconfiguring the charging stations, potentially disrupting service or altering operational parameters. Additionally, the attacker may access sensitive data stored or transmitted by the device. The vulnerability affects firmware versions up to and including 2.2.0. The CVSS 3.1 base score is 6.5 (medium severity), reflecting high confidentiality impact, low integrity impact, and no availability impact. The attack vector is network-based with high attack complexity, requiring no privileges or user interaction. No known exploits have been reported in the wild yet, but the lack of authentication on critical functions is a serious design flaw that could be exploited in targeted attacks or lateral movement scenarios within compromised networks. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), emphasizing the failure to enforce access controls on sensitive operations. Given the increasing deployment of EV charging infrastructure, this vulnerability poses a tangible risk to operational continuity and data security in affected environments.

For European organizations, the impact of this vulnerability could be significant, especially for those operating or managing EV charging infrastructure using eCharge Hardy Barth cPH2 or cPP2 stations. Unauthorized administrative access could lead to operational disruptions, such as disabling charging services or manipulating charging parameters, which could affect business continuity and customer satisfaction. Confidentiality breaches could expose sensitive user or operational data, potentially violating data protection regulations like GDPR. The lack of authentication also increases the risk of these devices being used as pivot points for broader network intrusion or lateral movement within corporate or municipal networks. Given the growing reliance on EV infrastructure in Europe, successful exploitation could undermine trust in smart grid components and impact critical transportation and energy sectors. Although the vulnerability does not directly affect availability, the indirect consequences of misconfiguration or sabotage could cause service outages or degraded performance. The medium CVSS score reflects these nuanced impacts, but the real-world risk could escalate if combined with other vulnerabilities or insider threats.

To mitigate this vulnerability, European organizations should immediately implement network-level protections such as strict segmentation and firewall rules to restrict access to the charging stations' management interfaces and MQTT servers only to trusted administrators and systems. Deploying VPNs or secure tunnels for remote management can further reduce exposure. Monitoring network traffic for unusual access patterns or configuration changes is critical to detect potential exploitation attempts. Organizations should engage with eCharge Hardy Barth to obtain and apply firmware updates or patches as soon as they become available, as the vendor has not yet released fixes. In the interim, disabling or isolating the vulnerable interfaces where possible can reduce risk. Additionally, implementing compensating controls such as strong network authentication, intrusion detection systems, and regular audits of device configurations will help mitigate exploitation risks. Training staff on the risks associated with unsecured IoT and OT devices and maintaining an inventory of deployed charging stations will support proactive security management. Finally, integrating these devices into broader cybersecurity frameworks and incident response plans will enhance resilience against potential attacks leveraging this vulnerability.