The vulnerability identified as CVE-2025-52268 affects the StarCharge Artemis AC Charger 7-22 kW version 1.0.4. The core issue is the presence of a hardcoded AES encryption key within the device’s firmware. This key is used to encrypt and decrypt login tokens that authenticate users to the charger’s management interface. Because the key is hardcoded and identical across devices, an attacker who obtains this key can forge valid login tokens or decrypt existing tokens, thereby bypassing authentication mechanisms. This allows unauthorized access to the charger’s administrative functions, potentially enabling attackers to manipulate charging sessions, disrupt service, or gain further network access if the charger is connected to broader infrastructure. The vulnerability does not require user interaction to exploit but does require knowledge or extraction of the hardcoded key, which could be obtained through firmware analysis or reverse engineering. No CVSS score has been assigned yet, and no public exploits are known at this time. However, the impact on confidentiality and integrity is significant, as authentication tokens can be compromised, undermining trust in the device’s security controls. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate risk assessment and mitigation by affected organizations.

For European organizations, this vulnerability poses a critical risk to the security of electric vehicle (EV) charging infrastructure. Unauthorized access to charging stations could lead to service disruptions, unauthorized use or denial of charging services, and potential manipulation of billing or usage data. In a broader context, compromised chargers could serve as entry points into corporate or municipal networks, especially if integrated into smart grid or IoT environments. This could result in data breaches, operational disruptions, and reputational damage. Given the increasing reliance on EV infrastructure in Europe’s green energy transition, such vulnerabilities could undermine public trust and slow adoption. Additionally, attackers could leverage this access to cause physical damage or safety hazards by manipulating charging parameters. The impact on availability, while indirect, could be significant if attackers disable or degrade charging services in critical locations.

Organizations should immediately inventory their EV charging infrastructure to identify any StarCharge Artemis AC Charger 7-22 kW devices running version 1.0.4. They should engage with the vendor to obtain firmware updates that remove the hardcoded AES key and implement secure key management practices, such as unique per-device keys or hardware security modules. Until patches are available, network segmentation should be enforced to isolate chargers from critical IT and OT networks. Access controls should be tightened, including monitoring and restricting administrative access to the chargers. Logging and anomaly detection should be enhanced to identify suspicious authentication attempts or token usage. If possible, replace affected devices with newer models that follow secure development practices. Additionally, organizations should conduct penetration testing and firmware analysis to verify that no other cryptographic weaknesses exist. Awareness training for operational staff on the risks of embedded device vulnerabilities is also recommended.