CVE-2025-48416

CVE-2025-48416: Backdoor Functionality via SSH in eCharge Hardy Barth cPH2 / cPP2 charging stations

Vendor Echarge Hardy Barth
Product cPH2 / cPP2 charging stations
Weakness CWE-912
Published May 21, 2025
Last update November 3, 2025

CVSS base score

What the vulnerability does

01Description

An OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the "/etc/shadow" file in the firmware image for the "root" user. However, in the default SSH configuration the "PermitRootLogin" is disabled, preventing the root user from logging in via SSH. This configuration can be bypassed/changed by an attacker through multiple paths though.

Key dates

02Disclosure timeline

May 21, 2025 CVE published
November 3, 2025 Record updated