Security researchers have discovered seven critical vulnerabilities in Hardy Barth’s eCharge cPH2 and cPP2 electric vehicle charging stations that could allow attackers to gain complete administrative control without authentication.
The flaws, identified by Stefan Viehböck from SEC Consult Vulnerability Lab, affect firmware version 2.2.0 and pose significant risks to EV charging infrastructure operators worldwide.
Despite being notified through responsible disclosure procedures over 160 days ago, the vendor has yet to release patches for any of the identified security issues.
The vulnerabilities span multiple attack vectors, creating a comprehensive security nightmare for charging point operators.
The most severe flaw, designated CVE-2025-27803, involves a complete absence of authentication mechanisms for both the web interface and MQTT server.
This allows any attacker with network access to immediately obtain administrative privileges and reconfigure devices or access sensitive data.
Compounding the authentication bypass, researchers discovered multiple OS command injection vulnerabilities (CVE-2025-27804) within the device firmware’s MQTT handling script.
Attackers can exploit these flaws by publishing specially crafted messages to specific MQTT topics, enabling arbitrary command execution with root-level permissions.
The attack surface extends further through three separate backdoor mechanisms embedded within the firmware.
The first backdoor involves hard-coded root user credentials (CVE-2025-48413) stored in system password files that ship with firmware updates.
Additional backdoors operate through undocumented web interface scripts (CVE-2025-48414) and USB drive functionality (CVE-2025-48415) that responds to specially crafted configuration files.
A dormant SSH backdoor (CVE-2025-48416) exists on port 22, which can be activated through multiple exploitation paths despite initially disabled root login permissions.
Vendor Response Falls Short Despite Extended Disclosure Period
The disclosure timeline reveals concerning delays in vendor response and remediation efforts. SEC Consult initially reported findings to a mutual customer in late 2023 before formally contacting Hardy Barth in November 2024.
While the vendor acknowledged receipt and claimed to be addressing security issues for release 2.3.0, subsequent communications showed repeated delays.
Hardy Barth initially indicated fixes would arrive in February 2025, then pushed the timeline to April 2025, and finally provided no concrete timeframe when contacted in May 2025.
The vendor’s latest communication merely stated they were “still working on the release” without providing an estimated completion date.
This extended delay prompted SEC Consult to publish the advisory publicly to enable defensive measures against potential attacks.
Recommended Mitigation Measures
The vulnerabilities carry significant implications for electric vehicle charging infrastructure security, particularly as EV adoption accelerates globally.
The combination of network-accessible and physical attack vectors creates multiple pathways for malicious actors to compromise charging operations, potentially disrupting services or accessing sensitive customer data.
Organizations operating Hardy Barth charging stations should prioritize implementing recommended mitigations while awaiting official patches from the manufacturer.
According to the Report, SEC Consult recommends immediate mitigation measures including physical security enhancements, network isolation, strict firewall implementations, and disabling unnecessary remote access interfaces.
Charge point operators should implement comprehensive monitoring systems and consider the broader OCPP protocol implications in their security assessments.
The researchers notably excluded OCPP analysis from their investigation, suggesting additional vulnerabilities may exist within charging communication protocols.
The absence of available fixes underscores the critical importance of proactive security measures and vendor accountability in critical infrastructure sectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?resize=1068,580&ssl=1&description=Security researchers have discovered seven critical vulnerabilities in Hardy Barth's eCharge cPH2 and cPP2 electric vehicle charging stations.){kind=link}