CVE-2025-10371 Overview
CVE-2025-10371 is an unrestricted file upload vulnerability affecting eCharge Hardy Barth Salia PLCC firmware up to version 2.3.81. The flaw resides in /api.php, where manipulation of the setrfidlist argument allows attackers to upload arbitrary files without restriction. The vulnerability is exploitable remotely over the network with no authentication or user interaction required. A public proof-of-concept has been released, increasing the risk of opportunistic exploitation against exposed charging stations. The vendor was contacted prior to disclosure but did not respond, leaving affected devices without an official patch. This vulnerability maps to CWE-284 — Improper Access Control.
Critical Impact
Remote, unauthenticated attackers can write arbitrary files to vulnerable Salia PLCC charging controllers through the setrfidlist parameter, potentially leading to system compromise.
Affected Products
- eCharge Hardy Barth Salia PLCC firmware versions up to and including 2.3.81
- Salia PLCC /api.php endpoint handling the setrfidlist parameter
- Deployments of Hardy Barth electric vehicle charging controllers exposed to untrusted networks
Discovery Timeline
- 2025-09-13 - CVE-2025-10371 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-10371
Vulnerability Analysis
The vulnerability is an unrestricted file upload weakness in the Salia PLCC web management interface. The /api.php endpoint accepts the setrfidlist argument, which is intended to manage RFID access lists for the charging controller. The endpoint fails to enforce access controls or validate the content and type of uploaded data. As a result, a remote attacker can submit crafted requests that write attacker-controlled content to the file system. Because the affected device is an Internet-of-Things (IoT) charging controller, file write primitives in the web root or configuration directories can lead to persistent control over the device.
Root Cause
The root cause is improper access control on a file-writing API path, classified as [CWE-284]. The setrfidlist handler does not authenticate callers, restrict file paths, or validate file content. Combined, these gaps allow an attacker to convert a list-management feature into an arbitrary file write primitive.
Attack Vector
The attack is performed remotely over the network against the device's HTTP service. The attacker sends a crafted POST request to /api.php referencing the setrfidlist parameter with attacker-controlled file contents. No credentials, prior access, or user interaction are required. A public proof-of-concept is available at the GitHub CVE PoC repository, demonstrating the file-write request structure against the api.php endpoint.
Detection Methods for CVE-2025-10371
Indicators of Compromise
- HTTP POST requests to /api.php containing the setrfidlist parameter from external or unexpected source addresses
- Unexpected new or modified files within the Salia PLCC web root or configuration directories
- Outbound network connections initiated by the charging controller to attacker infrastructure following file writes
Detection Strategies
- Inspect web server and reverse proxy logs for requests targeting api.php with the setrfidlist argument and abnormally large or binary payloads
- Baseline expected RFID list management traffic and alert on requests originating outside management networks
- Perform integrity monitoring on the device firmware filesystem to detect unauthorized file writes
Monitoring Recommendations
- Forward charging controller HTTP access logs to a centralized log analytics platform for retention and correlation
- Monitor north-south traffic to operational technology (OT) segments hosting Hardy Barth devices for anomalous HTTP patterns
- Alert on management-plane access to charging controllers from non-administrative source ranges
How to Mitigate CVE-2025-10371
Immediate Actions Required
- Remove Salia PLCC management interfaces from direct Internet exposure and place them behind a VPN or firewall
- Restrict access to /api.php to trusted administrative source addresses through network access control lists
- Audit charging controllers for unexpected files, modified configurations, or new RFID list entries indicating prior abuse
Patch Information
No vendor patch is available at the time of publication. According to the disclosure, the vendor was contacted early but did not respond. Operators should track the VulDB #323779 Analysis and vendor channels for future firmware updates addressing the setrfidlist handler.
Workarounds
- Block external access to TCP ports serving the Salia PLCC web interface at perimeter and segmentation firewalls
- Place affected devices on isolated OT VLANs reachable only through authenticated jump hosts
- Disable or filter access to the /api.php endpoint at an upstream reverse proxy until a vendor fix is released
# Example iptables rule restricting api.php access to a management subnet
iptables -A INPUT -p tcp --dport 80 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
