CVE-2025-48413 is a vulnerability categorized under CWE-798 (Use of Hard-coded Credentials) affecting eCharge Hardy Barth's cPH2 and cPP2 electric vehicle charging stations running firmware versions up to 2.2.0. The vulnerability arises because the devices ship with hard-coded root user password hashes stored in the system files /etc/passwd and /etc/shadow. These credentials are embedded in the update files and cannot be changed or deleted by the end user, effectively creating a permanent backdoor. An attacker who gains local physical access (e.g., via UART shell) or network access (via SSH) can authenticate as root without needing to guess or brute force passwords. This grants full administrative control over the device, allowing attackers to manipulate charging operations, alter configurations, or use the device as a foothold for lateral movement within the network. The CVSS v3.1 score is 7.7 (high), reflecting the vulnerability's ease of exploitation (low attack complexity, no privileges or user interaction required) but limited to local or network access (attack vector: local). The vulnerability impacts confidentiality and integrity severely but does not directly affect availability. No patches or firmware updates are currently available from the vendor, and no exploits have been observed in the wild. The vulnerability is particularly concerning given the critical role of EV charging infrastructure in energy and transportation sectors. The inability to change or remove the hard-coded credentials means that even diligent operators cannot fully secure affected devices without vendor intervention.

For European organizations, this vulnerability poses significant risks to the security and reliability of electric vehicle charging infrastructure. Unauthorized root access could allow attackers to manipulate charging sessions, potentially causing financial losses or service disruptions. Attackers could also exfiltrate sensitive operational data or use compromised charging stations as entry points into corporate or critical infrastructure networks, increasing the risk of broader cyberattacks. Given the increasing reliance on EV infrastructure in Europe’s green energy transition, disruption or compromise could undermine public trust and regulatory compliance. The inability to change hard-coded credentials means that affected devices remain vulnerable until patched or replaced, increasing the attack surface. Organizations operating these charging stations in public or private settings must consider the risk of physical tampering as well as remote attacks over local networks. The impact extends beyond individual organizations to national energy security and transportation resilience, especially in countries with high EV adoption and dense charging networks.

1. Immediate mitigation should focus on network-level controls: segment charging stations on isolated VLANs or subnets with strict firewall rules to limit SSH access only to trusted management hosts. 2. Enforce strong physical security controls to prevent unauthorized physical access to charging stations, including locked enclosures and surveillance. 3. Monitor network traffic and device logs for unusual SSH login attempts or unexpected shell access. 4. Engage with the vendor to obtain firmware updates or patches that remove or allow changing the hard-coded credentials; prioritize deployment of these updates once available. 5. If vendor patches are unavailable, consider device replacement or deploying compensating controls such as jump hosts or bastion servers for management access. 6. Implement multi-factor authentication and VPN tunnels for remote management where possible to add layers of security. 7. Conduct regular security audits and penetration testing focused on EV charging infrastructure to identify and remediate similar vulnerabilities. 8. Maintain an inventory of affected devices and track firmware versions to ensure timely patch management. 9. Educate operational staff about the risks of hard-coded credentials and the importance of physical and network security for these devices.