CVE-2025-48417: Hard-Coded Certificate and Private Key for HTTPS Web Interface in eCharge Hardy Barth cPH2 / cPP2 charging stations
Description
The certificate and private key used for providing transport layer security for connections to the web interface (TCP port 443) is hard-coded in the firmware and are shipped with the update files. An attacker can use the private key to perform man-in-the-middle attacks against users of the admin interface. The files are located in /etc/ssl (e.g. salia.local.crt, salia.local.key and salia.local.pem). There is no option to upload/configure custom TLS certificates.
Classification
CVE ID: CVE-2025-48417
CVSS Base Severity: MEDIUM
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Problem Types
CWE-321 Use of Hard-coded Cryptographic KeyAffected Products
Vendor: eCharge Hardy Barth
Product: cPH2 / cPP2 charging stations
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.02% (probability of being exploited)
EPSS Percentile: 3.65% (scored less or equal to compared to others)
EPSS Date: 2025-06-19 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-48417https://r.sec-consult.com/echarge