CVE-2023-46360 – CVE-2023-46360 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2023-46360?

CVE-2023-46360 has a CVSS score of 8.8 (HIGH). CVE-2023-46360 is a privilege escalation vulnerability in Hardy Barth cPH2 eCharge charging stations that allows attackers to execute commands with unnecessary elevated privileges. This affects cPH2 eCharge Ladestation version 1.87.0 and earlier. Organizations using these charging stations for electric vehicle infrastructure are at risk.

📋 TL;DR

CVE-2023-46360 is a privilege escalation vulnerability in Hardy Barth cPH2 eCharge charging stations that allows attackers to execute commands with unnecessary elevated privileges. This affects cPH2 eCharge Ladestation version 1.87.0 and earlier. Organizations using these charging stations for electric vehicle infrastructure are at risk.

💻 Affected Systems

Products:

Hardy Barth cPH2 eCharge Ladestation

Versions: v1.87.0 and earlier

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations running affected firmware versions are vulnerable by default.

📦 What is this software?

Cph2 Echarge Firmware by Hardy Barth

View all CVEs affecting Cph2 Echarge Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of charging station allowing attackers to manipulate charging operations, steal user data, or use the device as a foothold into connected networks.

🟠

Likely Case

Unauthorized access to charging station controls allowing manipulation of charging sessions, billing fraud, or service disruption.

🟢

If Mitigated

Limited impact if network segmentation and proper access controls prevent lateral movement from compromised charging stations.

🌐 Internet-Facing: HIGH - Charging stations are often internet-connected for remote management and payment processing.

🏢 Internal Only: MEDIUM - Internal network access could still allow exploitation if attackers gain initial access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the device management interface. The vulnerability is related to CVE-2023-46359 (OS command injection).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.88.0 or later

Vendor Advisory: http://hardy.com

Restart Required: Yes

Instructions:

1. Contact Hardy Barth for updated firmware. 2. Backup current configuration. 3. Upload new firmware via management interface. 4. Reboot charging station. 5. Verify firmware version.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate charging stations on separate VLANs with strict firewall rules limiting inbound/outbound connections.

Access Control Restrictions

all

Implement strict authentication and authorization controls for management interfaces.

🧯 If You Can't Patch

Implement network-level controls to restrict access to charging station management interfaces
Monitor for unusual network traffic patterns or unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via management interface. If version is 1.87.0 or earlier, the system is vulnerable.

Check Version:

Check via web interface at http://[station-ip]/status or via SSH if enabled

Verify Fix Applied:

Verify firmware version is 1.88.0 or later after applying patch.

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts
Unauthorized access to management interfaces
Unexpected system command execution

Network Indicators:

Unusual outbound connections from charging stations
Traffic to unexpected ports
Multiple failed authentication attempts

SIEM Query:

source="charging-station" AND (event_type="privilege_escalation" OR cmd_exec="*" OR auth_failure>5)

📊 Metadata

CVE ID: CVE-2023-46360

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-250

Published: February 6, 2024

Last Updated: November 21, 2024

🔗 References

http://hardy.com Not Applicable
https://www.offensity.com/en/blog/os-command-injection-in-cph2-charging-station-200-cve-2023-46359-and-cve-2023-46360/ Exploit
http://hardy.com Not Applicable
https://www.offensity.com/en/blog/os-command-injection-in-cph2-charging-station-200-cve-2023-46359-and-cve-2023-46360/ Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46360, you might also want to check these: