PatchSiren cyber security CVE debrief
CVE-2025-5873 Raw CVE debrief
CVE-2025-5873 is a remotely reachable web UI flaw in Hardy Barth Salia board firmware <=2.3.81. The advisory says the /firmware.php handler can be abused through the media parameter to trigger unrestricted file upload. CISA’s source notes public exploit disclosure and no vendor response to early coordination. The advisory describes the issue as critical, while the supplied CVSS 3.1 vector scores it 6.3 (Medium).
- Vendor
- Raw
- Product
- Hardy Barth Salia Board Firmware <=2.3.81
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-21
- Original CVE updated
- 2026-04-21
- Advisory published
- 2026-04-21
- Advisory updated
- 2026-04-21
Who should care
Operators and maintainers of Hardy Barth Salia EV charge controllers, especially those exposing the Web UI on trusted or untrusted networks. OT/ICS teams responsible for remote management, perimeter controls, and asset inventory should treat this as relevant even if internet exposure is limited.
Technical summary
The published advisory states that unknown code in the Web UI component, specifically /firmware.php, accepts a manipulated media argument that leads to unrestricted upload. The attack is remote and does not require user interaction. Based on the supplied CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), exploitation requires low privileges but can affect confidentiality, integrity, and availability at limited scope.
Defensive priority
High for any exposed management interface or systems used in operational EV charging environments. The combination of remote reachability, upload abuse, and public exploit disclosure increases urgency even though the supplied CVSS score is Medium.
Recommended defensive actions
- Identify all Hardy Barth Salia deployments and confirm whether firmware is at or below 2.3.81.
- Restrict access to the Web UI to approved management networks only; do not expose it to the internet.
- Segment EV charging management interfaces from general user networks and other OT/IT zones.
- Monitor for unexpected file uploads, new web content, or changes under the firmware/web UI paths.
- Review authentication, logging, and administrative access controls around the device management interface.
- Track CISA and vendor channels for remediation guidance or firmware updates; the source corpus does not provide a fixed version.
- Apply CISA ICS recommended practices and defense-in-depth guidance referenced in the advisory.
Evidence notes
Grounded in CISA CSAF advisory ICSA-26-111-05 and the supplied CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. Timing context uses the supplied published/modified date of 2026-04-21T05:00:00.000Z. The source notes public exploit disclosure and vendor nonresponse to early coordination.
Official resources
-
CVE-2025-5873 CVE record
CVE.org
-
CVE-2025-5873 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-04-21. The source states the exploit has been disclosed publicly and that the vendor did not respond to early coordination attempts.