Remote Code Execution in EV Charging Stations
As electric vehicles (EVs) become a global standard, the infrastructure that supports them — especially public charging stations — must remain secure. However, recent critical vulnerabilities discovered in the eCharge Hardy Barth cPH2 series have revealed just how fragile these systems can be when left unprotected.
Three major vulnerabilities — CVE-2025-3881, CVE-2025-3882, and CVE-2025-3883 — allow unauthenticated, network-adjacent attackers to execute remote code on affected systems. These flaws stem from improper input validation in PHP scripts used by the charging station’s firmware.
Published Date: May 21, 2025Summary of the Vulnerabilities
All three CVEs affect different endpoints but lead to the same outcome: Remote Code Execution (RCE) as the www-data user. This privilege level often allows enough access to install backdoors, extract logs, or pivot deeper into the network.
| CVE ID | Endpoint | Vulnerable Parameter | Attack Type | Base Score |
|---|---|---|---|---|
| CVE-2025-3881 | check_req.php | ntp | Command Injection | 8.8 HIGH |
| CVE-2025-3882 | nwcheckexec.php | dest | Command Injection | 8.8 HIGH |
| CVE-2025-3883 | index.php | (Undisclosed) | Command Injection | 8.8 HIGH |
These vulnerabilities were disclosed by ZDI (Zero Day Initiative) and originally identified as ZDI-CAN-23113 through 23115.
Realistic Attack Scenarios
1. Drive-by Compromise of a Public Charger (CVE-2025-3881)
A hacker parked near a shopping mall spots an unsecured charging station. They send the following request over the local Wi-Fi:
Outcome: Malware is downloaded and executed. The station is now a bot in the attacker’s network.
2. Remote Reboot or Shutdown of EV Services (CVE-2025-3882)
Using the nwcheckexec.php endpoint, an attacker sends:
Result: The charging station reboots unexpectedly, disrupting charging sessions and user trust.
3. Reverse Shell Access to the EV Charger (CVE-2025-3883)
An advanced attacker exploits index.php with a crafted payload:
Impact: A fully interactive shell is spawned, giving the attacker command-line access to the charger.
Why These Vulnerabilities Matter
These are not theoretical issues. EV chargers are often:
- Connected to critical infrastructure (e.g., transportation hubs)
- Accessible via public or semi-public networks
- Linked with user billing, telemetry, and operational data
A breach in such systems doesn’t just compromise a device — it can ripple across smart grid systems, affect energy management software, or even serve as an entry point into corporate or municipal networks.
Mitigation Recommendations
If you're operating or deploying Hardy Barth cPH2 chargers, take immediate action:
- Apply Firmware Updates: Patch the affected scripts with vendor-released firmware.
- Segment Networks: Keep chargers in isolated VLANs or behind VPNs.
- Deploy a Web Application Firewall (WAF): Filter malicious GET requests and parameter abuse.
- Log and Monitor Activity: Track unusual requests to
index.php,check_req.php, andnwcheckexec.php.
Final Thoughts
These command injection vulnerabilities serve as a stark reminder: the future of transportation must be secured today.
As we integrate more connected devices into everyday life — from electric vehicles to smart homes — input validation, strong authentication, and secure deployment practices become non-negotiable.
Don’t let your infrastructure become the weakest link in the chain.
Follow me for more in-depth CVE analysis and practical cybersecurity insights.