CVE-2025-27804 is an OS command injection vulnerability identified in the firmware of eCharge Hardy Barth cPH2 and cPP2 electric vehicle charging stations, specifically in the /var/salia/mqtt.php script. The vulnerability arises from improper neutralization of special elements used in OS commands (CWE-78), allowing an attacker to execute arbitrary operating system commands with root privileges. The exploitation vector involves publishing a specially crafted message to a particular MQTT topic that the device subscribes to. Since MQTT is a lightweight messaging protocol commonly used in IoT and industrial control systems, this attack vector is significant because it can be triggered remotely over the network without user interaction. The vulnerability affects firmware versions up to and including 2.2.0. The CVSS v3.1 base score is 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). Although exploitation requires high privileges, the root-level command execution capability means that if an attacker can gain the necessary MQTT access, they can fully compromise the device’s operating system. This could lead to unauthorized control over the charging station, manipulation of charging operations, or pivoting into connected networks. No public exploits are currently known, and no patches have been linked yet, indicating a need for urgent vendor response and mitigation by operators.

For European organizations, particularly those operating electric vehicle charging infrastructure, this vulnerability poses a significant risk. Charging stations are critical infrastructure components supporting the growing EV ecosystem, and compromise could disrupt services, cause financial losses, or damage reputation. Root-level command execution allows attackers to manipulate charging sessions, potentially causing physical damage to connected vehicles or the grid. Confidentiality breaches could expose sensitive operational data or user information. Integrity violations could allow attackers to alter firmware or software, implant persistent malware, or use the charging stations as a foothold for lateral movement into corporate or utility networks. Given the increasing adoption of EVs in Europe and the strategic importance of energy infrastructure, successful exploitation could have cascading effects on energy management and transportation sectors. The lack of user interaction and network-based attack vector increase the risk of remote exploitation, especially if MQTT topics are not properly secured or segmented within organizational networks.

Operators should immediately audit and restrict access to MQTT brokers and topics associated with the affected charging stations, implementing strong authentication and authorization controls to prevent unauthorized message publishing. Network segmentation should isolate charging station management interfaces from general corporate or public networks. Monitoring MQTT traffic for anomalous or unexpected messages can help detect exploitation attempts. Until vendor patches are available, consider disabling or restricting MQTT functionality if feasible. Firmware should be updated promptly once a patch is released. Additionally, implementing host-based intrusion detection on charging station devices, if supported, can alert on suspicious command executions. Vendors should be engaged to provide timely patches and guidance. Organizations should also review their incident response plans to include scenarios involving IoT device compromise in critical infrastructure.