CVE-2025-3881 is a critical security vulnerability identified in the eCharge Hardy Barth cPH2 electric vehicle charging station software, specifically affecting version 2.0.4. The vulnerability is classified as CWE-78, which corresponds to improper neutralization of special elements used in an OS command, commonly known as OS command injection. The flaw resides in the check_req.php endpoint, where the 'ntp' parameter is processed without adequate validation or sanitization before being passed to a system call. This lack of input validation allows an unauthenticated, network-adjacent attacker to inject arbitrary commands that the system executes with the privileges of the 'www-data' user. Exploitation does not require any authentication or user interaction, significantly lowering the barrier for attackers. The vulnerability has a high CVSS v3.0 base score of 8.8, reflecting its ease of exploitation and the severe impact on confidentiality, integrity, and availability. Successful exploitation could lead to remote code execution, enabling attackers to manipulate the charging station's software environment, potentially disrupt service, steal sensitive data, or pivot to other networked systems. Although no known exploits have been reported in the wild yet, the vulnerability's characteristics make it a high-risk target for attackers, especially given the critical infrastructure role of EV charging stations. The vulnerability was assigned and published by the Zero Day Initiative (ZDI) under the identifier ZDI-CAN-23113, with the official CVE published on May 22, 2025.

For European organizations, the impact of this vulnerability is significant due to the increasing deployment of eCharge Hardy Barth cPH2 charging stations across the continent as part of the growing electric vehicle infrastructure. Exploitation could lead to unauthorized remote code execution on charging stations, resulting in service disruptions that affect EV users and potentially cause cascading effects on energy management systems. Confidentiality breaches could expose operational data or user information, while integrity compromises might allow attackers to manipulate charging parameters or firmware, leading to safety risks or financial losses. Availability impacts could disrupt charging availability, undermining trust in EV infrastructure. Moreover, compromised charging stations could serve as footholds for lateral movement into corporate or utility networks, amplifying the threat to critical infrastructure. Given the strategic push in Europe towards sustainable transportation, such vulnerabilities pose risks not only to private companies operating charging networks but also to public entities and consumers relying on these services.

To mitigate this vulnerability, organizations should prioritize updating the eCharge Hardy Barth cPH2 software to a patched version once available from the vendor. Until a patch is released, network segmentation should be enforced to isolate charging stations from critical internal networks, limiting attacker lateral movement. Implement strict firewall rules to restrict access to the check_req.php endpoint, allowing only trusted management systems where feasible. Employ intrusion detection and prevention systems (IDS/IPS) to monitor for suspicious command injection patterns targeting the ntp parameter. Additionally, consider deploying web application firewalls (WAFs) capable of detecting and blocking OS command injection attempts. Regularly audit and monitor logs for anomalous activities related to charging station endpoints. Organizations should also engage with the vendor for timely security updates and verify the integrity of deployed charging station firmware and software. Finally, incorporate this vulnerability into incident response plans to ensure rapid containment and remediation if exploitation is detected.