CVE-2025-3883 is a critical security vulnerability classified under CWE-78, indicating an OS Command Injection flaw in the eCharge Hardy Barth cPH2 electric vehicle charging station software, specifically version 2.0.4. The vulnerability resides in the index.php endpoint, where GET parameters are improperly sanitized before being used in system calls. This lack of input validation allows a network-adjacent attacker to inject arbitrary OS commands that are executed with the privileges of the web server user (www-data). Notably, exploitation does not require authentication or user interaction, significantly increasing the risk. The vulnerability was publicly disclosed on May 22, 2025, with a CVSS v3.0 score of 8.8, reflecting high severity due to its impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the ease of exploitation and the critical nature of the flaw make it a significant threat. The vulnerability could allow attackers to execute arbitrary code, potentially leading to full system compromise, data theft, disruption of charging services, or pivoting into broader network environments.

For European organizations deploying eCharge Hardy Barth cPH2 charging stations, this vulnerability poses a substantial risk. Exploitation can lead to unauthorized control over charging infrastructure, potentially disrupting electric vehicle charging availability, which is critical as Europe advances its green energy and transportation initiatives. Confidential data related to user charging sessions or payment information could be exposed or manipulated. Furthermore, compromised charging stations could serve as entry points for lateral movement into corporate or municipal networks, amplifying the threat. The operational disruption could affect public and private charging networks, undermining trust and causing financial and reputational damage. Given the growing reliance on EV infrastructure in Europe, the impact extends beyond individual organizations to broader energy and transportation sectors.

Immediate mitigation should focus on isolating affected charging stations from untrusted networks to reduce exposure. Network segmentation and strict firewall rules should limit access to the index.php endpoint only to trusted management systems. Since no official patch is currently available, organizations should implement Web Application Firewall (WAF) rules to detect and block suspicious command injection patterns in GET parameters targeting index.php. Monitoring logs for unusual system calls or web requests can help identify exploitation attempts early. Vendors and operators should prioritize developing and deploying patches or firmware updates to properly sanitize input parameters. Additionally, organizations should conduct thorough security assessments of their EV charging infrastructure and consider compensating controls such as disabling remote management interfaces if not required. Regularly updating and hardening the underlying operating system and web server environment can also reduce the attack surface.