CVE-2025-48416 (GCVE-0-2025-48416)

Vulnerability from cvelistv5 – Published: 2025-05-21 12:15 – Updated: 2025-11-03 20:04
VLAI?
Summary
An OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the "/etc/shadow" file in the firmware image for the "root" user. However, in the default SSH configuration the "PermitRootLogin" is disabled, preventing the root user from logging in via SSH. This configuration can be bypassed/changed by an attacker through multiple paths though.
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
https://r.sec-consult.com/echarge third-party-advisory
Impacted products
Vendor Product Version
eCharge Hardy Barth cPH2 / cPP2 charging stations Affected: <=2.2.0
Create a notification for this product.
Credits
Stefan Viehböck | SEC Consult Vulnerability Lab
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-48416",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-30T16:24:30.804367Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-30T16:25:51.046Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:04:50.778Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://seclists.org/fulldisclosure/2025/May/23"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "cPH2 / cPP2 charging stations",
          "vendor": "eCharge Hardy Barth",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c=2.2.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Stefan Viehb\u00f6ck | SEC Consult Vulnerability Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAn OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the \"/etc/shadow\" file in the firmware image for the \"root\" user. However, in the default SSH configuration the \"PermitRootLogin\" is disabled, preventing the root user from logging in via SSH. This configuration can be bypassed/changed by an attacker through multiple paths though.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "An OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the \"/etc/shadow\" file in the firmware image for the \"root\" user. However, in the default SSH configuration the \"PermitRootLogin\" is disabled, preventing the root user from logging in via SSH. This configuration can be bypassed/changed by an attacker through multiple paths though."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-176",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-176 Configuration/Environment Manipulation"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-912",
              "description": "CWE-912 Hidden Functionality",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-21T12:15:02.694Z",
        "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "shortName": "SEC-VLab"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://r.sec-consult.com/echarge"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe vendor has not yet released a patch or communicated a timeline for firmware updates.\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "The vendor has not yet released a patch or communicated a timeline for firmware updates."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Backdoor Functionality via SSH in eCharge Hardy Barth cPH2 / cPP2 charging stations",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
    "assignerShortName": "SEC-VLab",
    "cveId": "CVE-2025-48416",
    "datePublished": "2025-05-21T12:15:02.694Z",
    "dateReserved": "2025-05-20T07:34:22.865Z",
    "dateUpdated": "2025-11-03T20:04:50.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-48416\",\"sourceIdentifier\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"published\":\"2025-05-21T13:16:02.947\",\"lastModified\":\"2025-11-03T20:19:06.773\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the \\\"/etc/shadow\\\" file in the firmware image for the \\\"root\\\" user. However, in the default SSH configuration the \\\"PermitRootLogin\\\" is disabled, preventing the root user from logging in via SSH. This configuration can be bypassed/changed by an attacker through multiple paths though.\"},{\"lang\":\"es\",\"value\":\"Un demonio OpenSSH escucha en el puerto TCP 22. Hay una entrada incluida en el archivo \u00ab/etc/shadow\u00bb en la imagen del firmware para el usuario \u00abroot\u00bb. Sin embargo, en la configuraci\u00f3n SSH por defecto el \u00abPermitRootLogin\u00bb est\u00e1 desactivado, impidiendo que el usuario root inicie sesi\u00f3n a trav\u00e9s de SSH. No obstante, esta configuraci\u00f3n puede ser evitada/cambiada por un atacante de m\u00faltiples formas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-912\"}]}],\"references\":[{\"url\":\"https://r.sec-consult.com/echarge\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"},{\"url\":\"http://seclists.org/fulldisclosure/2025/May/23\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://seclists.org/fulldisclosure/2025/May/23\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T20:04:50.778Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48416\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-30T16:24:30.804367Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-30T16:23:35.526Z\"}}], \"cna\": {\"title\": \"Backdoor Functionality via SSH in eCharge Hardy Barth cPH2 / cPP2 charging stations\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Stefan Viehb\\u00f6ck | SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-176\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-176 Configuration/Environment Manipulation\"}]}], \"affected\": [{\"vendor\": \"eCharge Hardy Barth\", \"product\": \"cPH2 / cPP2 charging stations\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c=2.2.0\"}], \"defaultStatus\": \"affected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The vendor has not yet released a patch or communicated a timeline for firmware updates.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe vendor has not yet released a patch or communicated a timeline for firmware updates.\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://r.sec-consult.com/echarge\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the \\\"/etc/shadow\\\" file in the firmware image for the \\\"root\\\" user. However, in the default SSH configuration the \\\"PermitRootLogin\\\" is disabled, preventing the root user from logging in via SSH. This configuration can be bypassed/changed by an attacker through multiple paths though.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAn OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the \\\"/etc/shadow\\\" file in the firmware image for the \\\"root\\\" user. However, in the default SSH configuration the \\\"PermitRootLogin\\\" is disabled, preventing the root user from logging in via SSH. This configuration can be bypassed/changed by an attacker through multiple paths though.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-912\", \"description\": \"CWE-912 Hidden Functionality\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2025-05-21T12:15:02.694Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-48416\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T20:04:50.778Z\", \"dateReserved\": \"2025-05-20T07:34:22.865Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2025-05-21T12:15:02.694Z\", \"assignerShortName\": \"SEC-VLab\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.