CVE Details
Basic Information
| Title |
CVE-2025-3881 |
| Type |
cve |
| Published |
2025-05-22T01:15:53 |
| Last Seen |
2025-05-22T01:26:09 |
CVSS Information
| Base Score |
8.8 (HIGH) |
| Attack Vector |
ADJACENT |
| Attack Complexity |
LOW |
| Privileges Required |
NONE |
| User Interaction |
NONE |
| Scope |
UNCHANGED |
| Confidentiality Impact |
HIGH |
| Integrity Impact |
HIGH |
| Availability Impact |
HIGH |
AI Analysis
| AI Description |
This vulnerability allows an attacker to execute arbitrary code on eCharge Hardy Barth cPH2 charging stations by exploiting a command injection flaw in the check_req.php endpoint. No authentication is required, and the attacker can execute code with the privileges of the www-data user. |
| AI Severity |
High |
| Vendor |
eCharge Hardy Barth |
| Product |
cPH2 |
| Affected Version |
|
Additional Information
| CVE List |
CVE-2025-3881 |
| CWE List |
CWE-78 |
| Bulletin Family |
cve |
Description
eCharge Hardy Barth cPH2 check_req.php ntp Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of eCharge Hardy Barth cPH2 charging stations. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the ntp parameter provided to the check_req.php endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the www-data user. Was ZDI-CAN-23113.
CVSS Score Summary
Base Score: %!f(string=#) (HIGH)
View Full CVE Details
