CVE-2025-48413
HIGHeCharge Hardy Barth cPH2 / cPP2 charging stations <= 2.2.0 - Use of Hard-coded Credentials
Title source: llmDescription
The `/etc/passwd` and `/etc/shadow` files reveal hard-coded password hashes for the operating system "root" user. The credentials are shipped with the update files. There is no option for deleting or changing their passwords for an enduser. An attacker can use the credentials to log into the device. Authentication can be performed via SSH backdoor or likely via physical access (UART shell).
References (2)
Core 2
Core References
Various Sources third-party-advisory
https://r.sec-consult.com/echarge
Mailing List
http://seclists.org/fulldisclosure/2025/May/23
Scores
CVSS v3
7.7
EPSS
0.0022
EPSS Percentile
11.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-798
Status
published
Products (1)
eCharge Hardy Barth/cPH2 / cPP2 charging stations
<=2.2.0
Published
May 21, 2025
Tracked Since
Feb 18, 2026