The vulnerability identified as CVE-2025-52268 affects the StarCharge Artemis AC Charger 7-22 kW version 1.0.4. The root cause is the presence of a hardcoded AES encryption key embedded within the device firmware. This cryptographic key is used to secure login tokens that authenticate users or administrators to the charger’s management interface. Because the key is static and known, attackers can leverage it to either decrypt intercepted login tokens or forge new tokens, thereby bypassing authentication controls without needing any privileges or user interaction. The CVSS v3.1 score of 7.5 reflects a high-severity rating, primarily due to the network attack vector (AV:N), low attack complexity (AC:L), and no privileges or user interaction required (PR:N/UI:N). The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability. No patches or fixes have been published yet, and no active exploitation has been reported. The CWE-200 classification indicates exposure of sensitive information. This vulnerability could allow unauthorized remote access to the charger’s administrative functions, potentially enabling attackers to manipulate charging sessions or gather sensitive operational data. Given the increasing deployment of electric vehicle charging infrastructure, this vulnerability poses a significant risk to the security of EV charging networks.

For European organizations, particularly those operating or managing EV charging infrastructure, this vulnerability presents a significant confidentiality risk. Unauthorized access to login tokens could allow attackers to impersonate legitimate users or administrators, potentially leading to unauthorized control over charging stations. This could result in privacy breaches, unauthorized usage, or disruption of EV charging services. While the vulnerability does not directly impact system integrity or availability, the ability to decrypt or forge tokens undermines trust in the authentication mechanism and could facilitate further attacks. Organizations in Europe with large EV fleets, public charging networks, or smart grid integrations may face operational disruptions or reputational damage if attackers exploit this flaw. Additionally, attackers could leverage compromised chargers as footholds for lateral movement within organizational networks if proper segmentation is not enforced. The lack of patches increases the urgency for interim mitigations. The impact is heightened in countries with advanced EV adoption and critical infrastructure reliance on such charging solutions.

Immediate mitigation steps include isolating affected StarCharge Artemis AC Chargers from critical network segments to limit exposure. Organizations should implement strict network segmentation and firewall rules to restrict access to charger management interfaces. Monitoring network traffic for anomalous authentication attempts or token usage can help detect exploitation attempts. Since no official patches are available, organizations should engage with the vendor for firmware updates or security advisories. Where possible, replace or upgrade affected chargers to versions without the hardcoded key vulnerability. Employ multi-factor authentication or additional access controls around charger management systems to reduce risk. Conduct regular security audits and penetration testing focused on EV charging infrastructure. Finally, maintain an inventory of all deployed chargers to ensure comprehensive coverage of mitigation efforts.