CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-48416: Backdoor Functionality via SSH in eCharge Hardy Barth cPH2 / cPP2 charging stations

Description

An OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the "/etc/shadow" file in the firmware image for the "root" user. However, in the default SSH configuration the "PermitRootLogin" is disabled, preventing the root user from logging in via SSH. This configuration can be bypassed/changed by an attacker through multiple paths though.

Classification

CVE ID: CVE-2025-48416

Problem Types

CWE-912 Hidden Functionality

Affected Products

Vendor: eCharge Hardy Barth

Product: cPH2 / cPP2 charging stations

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 18.55% (scored less or equal to compared to others)

EPSS Date: 2025-06-19 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48416
https://r.sec-consult.com/echarge

Timeline

2025-05-21 13:40:12 UTC
CVE

Backdoor Functionality via SSH in eCharge Hardy Barth cPH2 / cPP2 charging stations