OS Command Injection Vulnerabilities in Device Firmware by Vendor A
CVE-2025-27804

6.5MEDIUM

Key Information:

Vendor: Echarge Hardy Barth
Status: Cph2 / Cpp2 Charging Stations
Vendor: CVE Published:; 21 May 2025

🔔 Create Echarge Hardy Barth Vulnerability Alert

What is CVE-2025-27804?

Multiple OS command injection issues have been identified in the device firmware's /var/salia/mqtt.php script. By sending specifically crafted messages to designated MQTT topics, it is possible to execute arbitrary OS commands with root permissions. This vulnerability underscores serious security risks, potentially leading to unauthorized access and manipulation of the device's operating system.

Affected Version(s)

cPH2 / cPP2 charging stations <=2.2.0

References

https://r.sec-consult.com/echarge

third-party-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2025
Vulnerability Reserved
Mar 7, 2025

Credit

Stefan Viehböck | SEC Consult Vulnerability Lab