CVE-2025-3883
📋 TL;DR
This vulnerability allows attackers on the same network to execute arbitrary commands on eCharge Hardy Barth cPH2 charging stations without authentication. The flaw exists in how the index.php endpoint processes GET parameters, enabling remote code execution as the www-data user. All unpatched installations of affected charging stations are vulnerable.
💻 Affected Systems
- eCharge Hardy Barth cPH2 charging station
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of charging station allowing attackers to disrupt charging operations, steal user data, pivot to internal networks, or cause physical damage through electrical manipulation.
Likely Case
Attackers gain www-data user access to execute arbitrary commands, potentially disrupting charging services, stealing connected vehicle data, or using the station as a foothold for further attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to the charging station itself without lateral movement to other systems.
🎯 Exploit Status
The vulnerability requires network adjacency but no authentication, making exploitation straightforward for attackers with network access. ZDI has confirmed the vulnerability but hasn't released exploit details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available references
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-249/
Restart Required: Yes
Instructions:
1. Contact eCharge Hardy Barth for patch information. 2. Apply the official firmware update. 3. Restart the charging station. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Network segmentation
allIsolate charging stations on separate VLANs with strict firewall rules
Web application firewall
allDeploy WAF to block malicious GET parameter patterns
🧯 If You Can't Patch
- Segment charging station network completely from corporate/internal networks
- Implement strict network access controls allowing only necessary traffic to/from charging stations
🔍 How to Verify
Check if Vulnerable:
Check if index.php endpoint accepts and processes GET parameters without proper validation. Test with safe command injection payloads (like 'id' command) if authorized.Check Version:
Check firmware version through charging station web interface or management consoleVerify Fix Applied:
After patching, attempt to exploit the vulnerability with safe test payloads to confirm command injection is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unusual GET parameters in web server logs
- Commands like 'id', 'ls', 'cat' in URL parameters
- Multiple failed exploitation attempts
Network Indicators:
- Unusual outbound connections from charging station
- Traffic to index.php with suspicious parameter values
- Unexpected network scanning from charging station IP
SIEM Query:
source="web_logs" AND uri="*index.php*" AND (uri="*;*" OR uri="*|*" OR uri="*`*" OR uri="*$(*")