CVE-2025-48413 is a high-severity vulnerability affecting eCharge Hardy Barth cPH2 and cPP2 electric vehicle charging stations, specifically versions up to and including 2.2.0. The vulnerability arises from the presence of hard-coded password hashes for the root user within critical system files (/etc/passwd and /etc/shadow) that are shipped with the device's update files. These credentials cannot be changed or removed by the end user, effectively creating a permanent backdoor. An attacker with knowledge of these credentials can gain root-level access to the device either remotely via SSH or locally through physical access methods such as a UART shell interface. The vulnerability is classified under CWE-798, indicating the use of hard-coded credentials, which is a well-known security weakness that can lead to unauthorized access and control. The CVSS 3.1 base score is 7.7, reflecting high severity, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). No known exploits are currently reported in the wild, but the vulnerability poses a significant risk due to the ease of exploitation once physical or local network access is obtained.

For European organizations deploying eCharge Hardy Barth cPH2 and cPP2 charging stations, this vulnerability presents a serious risk. Unauthorized root access could allow attackers to manipulate charging station operations, potentially disrupting electric vehicle charging services, altering billing data, or using the compromised devices as pivot points for lateral movement within organizational networks. Confidential information stored on the devices or accessible through them could be exposed or altered, undermining data integrity and confidentiality. Given the increasing reliance on electric vehicle infrastructure in Europe, such compromises could affect critical transportation and energy sectors, damaging organizational reputation and causing operational disruptions. The inability to change or remove the hard-coded credentials exacerbates the risk, as compromised devices remain vulnerable until patched or replaced. Additionally, physical access vectors mean that attackers with proximity to the devices (e.g., in public or semi-public charging locations) could exploit the vulnerability, increasing the attack surface.

Organizations should immediately inventory all eCharge Hardy Barth cPH2 and cPP2 charging stations running firmware versions 2.2.0 or earlier. Until a vendor patch is available, physical security controls must be enhanced to restrict unauthorized access to charging stations, including securing enclosures and monitoring access points. Network segmentation should be implemented to isolate charging stations from critical internal networks, minimizing potential lateral movement. Where possible, disable SSH access or restrict it to trusted management networks and enforce strict firewall rules. Regularly monitor device logs and network traffic for unusual authentication attempts or access patterns. Engage with the vendor to obtain firmware updates or patches that remove or allow changing the hard-coded credentials. If no patch is available, consider replacing vulnerable devices or deploying compensating controls such as VPN tunnels with strong authentication for remote management. Additionally, implement strict change management and incident response procedures to quickly address any detected compromise.