CVE-2025-48417 is a medium-severity vulnerability affecting eCharge Hardy Barth cPH2 and cPP2 electric vehicle charging stations running firmware versions up to 2.2.0. The core issue is the use of a hard-coded cryptographic key and certificate embedded in the device firmware, specifically used to secure the transport layer security (TLS) connections to the device's web administration interface on TCP port 443. These cryptographic materials, including the private key and certificate files (e.g., salia.local.crt, salia.local.key, salia.local.pem), are stored in the /etc/ssl directory and are shipped as part of the firmware update files. Because the private key is static and identical across all affected devices, an attacker who obtains this key can impersonate the charging station's web interface and perform man-in-the-middle (MitM) attacks against administrators accessing the device remotely or locally. This undermines the confidentiality and integrity of administrative sessions, potentially allowing attackers to intercept credentials, manipulate device settings, or inject malicious commands. The vulnerability is exacerbated by the fact that there is no option for administrators to upload or configure custom TLS certificates, forcing reliance on the insecure default keys. The CVSS v3.1 base score is 6.5, reflecting a network attack vector with low attack complexity, no privileges or user interaction required, and limited impact on confidentiality and integrity but no impact on availability. No known exploits are currently reported in the wild, but the static nature of the key makes exploitation straightforward once the key is obtained, for example, by extracting it from firmware update files or compromised devices.

For European organizations deploying eCharge Hardy Barth cPH2 and cPP2 charging stations, this vulnerability poses a significant risk to the security of their EV charging infrastructure management. Successful MitM attacks could lead to unauthorized access to the administrative interface, allowing attackers to alter charging station configurations, disrupt operations, or harvest sensitive credentials. This could impact operational continuity of EV charging services, damage organizational reputation, and potentially expose connected networks to further compromise if attackers pivot from the charging station to internal systems. Confidentiality of administrative credentials and integrity of device configurations are the primary concerns. Given the increasing adoption of EV infrastructure across Europe, especially in countries pushing for green energy and electric mobility, this vulnerability could affect critical infrastructure and commercial deployments. The lack of availability impact reduces the risk of direct service outages, but stealthy manipulation remains a concern. Additionally, attackers could leverage compromised stations as footholds for broader attacks within enterprise or municipal networks.

To mitigate this vulnerability, affected organizations should: 1) Immediately restrict network access to the charging stations' administrative interfaces, ideally isolating them on dedicated management VLANs or behind VPNs to limit exposure to untrusted networks. 2) Monitor network traffic for suspicious TLS certificates or unexpected connections to detect potential MitM attempts. 3) Engage with eCharge Hardy Barth to obtain firmware updates or patches that replace the hard-coded keys with unique, per-device certificates or allow custom certificate provisioning. 4) If no patch is available, consider deploying compensating controls such as network-level TLS interception with trusted certificates or proxying administrative access through secure jump hosts. 5) Regularly audit and rotate administrative credentials and enforce strong authentication mechanisms to reduce the impact of credential compromise. 6) For future deployments, prioritize devices that support secure, configurable cryptographic practices and avoid those with hard-coded keys. 7) Educate administrators on verifying certificate fingerprints before trusting the web interface to detect anomalous certificates indicative of MitM attacks.